From owner-freebsd-security Sun Dec 29 14:56:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8091337B401; Sun, 29 Dec 2002 14:56:33 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id BAAD743ED1; Sun, 29 Dec 2002 14:56:32 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA07371; Sun, 29 Dec 2002 15:56:08 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021229155333.02769b90@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 29 Dec 2002 15:56:05 -0700 To: Harry Tabak From: Brett Glass Subject: Re: Bystander shot by a spam filter. Cc: freebsd-questions@FreeBSD.ORG, security@FreeBSD.ORG In-Reply-To: <3E0E4C39.2080603@quadtelecom.com> References: <3E0DC89D.3010203@quadtelecom.com> <4.3.2.7.2.20021228134454.0283b180@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 06:13 PM 12/28/2002, Harry Tabak wrote: >I've been in contact with the port maintainer. His position: 1) This problem is out of scope for him, 2) He is away on holiday and can't easily access the FreeBSD cluster, 3) Other pressures will keep him from this problem for several weeks. He advised me to contact me Miss Hampton. I can't fault him. Contacting Ms. Hampton is probably the right thing to do. However, he can help by changing the procmail.rc file, which controls which blacklists the recipes will consult. Many FreeBSD ports come with customized configurations, so this is by no means outside his scope as a port maintainer. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 30 5:23:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4D5A37B401 for ; Mon, 30 Dec 2002 05:23:26 -0800 (PST) Received: from hotmail.com (f104.law10.hotmail.com [64.4.15.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3D6043ED4 for ; Mon, 30 Dec 2002 05:23:26 -0800 (PST) (envelope-from elite_bizkit@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 30 Dec 2002 05:23:04 -0800 Received: from 213.208.104.44 by lw10fd.law10.hotmail.msn.com with HTTP; Mon, 30 Dec 2002 13:23:03 GMT X-Originating-IP: [213.208.104.44] From: "Elite Bizkit" To: freebsd-security@FreeBSD.org Subject: FreeBSD Jail Date: Mon, 30 Dec 2002 13:23:03 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 30 Dec 2002 13:23:04.0132 (UTC) FILETIME=[9552D040:01C2B006] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have just built my first jail following instructions in jail(8) and an article on BSDpro.com and have a few questions relating to jails in general. First of all, how do you login to the jail (and logout)? Another question is if someone manages to get root in the jail what happens if they run "exit", will they get to the host system or will it just close the jail and their connection? And finally in the BSDpro article the ports system was mounted using mount_nfs, surely if you can run this in the jail then you could mount other directories such as "/etc" and screw around with files on the host system? Im probably missing something simple here but if anyone could answer any of the above I would be very greatful :) Oh yeh, im running FreeBSD 4.7-RELEASE :) - BiZKiT _________________________________________________________________ MSN 8 with e-mail virus protection service: 3 months FREE*. http://join.msn.com/?page=features/virus&xAPID=42&PS=47575&PI=7324&DI=7474&SU= http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_eliminateviruses_3mf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 30 6: 0:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35D3E37B401 for ; Mon, 30 Dec 2002 06:00:44 -0800 (PST) Received: from spxgate.servplex.com (ip66-105-58-82.z58-105-66.customer.algx.net [66.105.58.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id CFD6F43E4A for ; Mon, 30 Dec 2002 06:00:42 -0800 (PST) (envelope-from peter@servplex.com) Received: from peter.servplex.com ([192.168.0.96]) by spxgate.servplex.com (8.12.6/8.12.6) with ESMTP id gBUEErU4078359; Mon, 30 Dec 2002 08:14:53 -0600 (CST) (envelope-from peter@servplex.com) Message-Id: <5.2.0.9.0.20021230075825.01ca0d10@mail.servplex.com> X-Sender: peter@mail.servplex.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Mon, 30 Dec 2002 08:00:52 -0600 To: htabak@quadtelecom.com From: Peter Elsner Subject: Re: Bystander shot by a spam filter. Cc: freebsd-security@freebsd.org In-Reply-To: <3E0DAAF3.7090103@quadtelecom.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Your comment: Until it is fixed, and proven harmless, FreeBSD should stop distributing this product. Is silly. The port is not installed by default, it has to be installed. So the only thing that needs to happen is that the port maintainer put a notice on the port stating the possible problems that might occur. If the ISP uses it, then you need to complain to the ISP. Don't think that FreeBSD has to stop carrying the port because of some stupid ISP who doesn't know what the hell they are doing anyway. At 08:45 AM 12/28/2002 -0500, you wrote: >[This is a resend. Ironically, the orignal was blocked by FreeBSD's spam >filter, I've had to send this from another account] > > I am not sure which list is best for this issue, hence the cross >posting. I believe spam and anti-spam measures are security issues -- >the 'Availability' part of C-I-A. I apologize if I am wrong. A FreeBSD >ported package is contributing to an internet service availability >problem that has me stumped. I believe that an unknowable quantity of >other internet denizens are also affected. > > I'm a long time fan of FreeBSD -- I run it on my small mail > server and >I've recommended it for many applications. I even bought a CD once. I >write this missive with great reluctance. I've worked with a lot of >strange software over the years, But this is a new first -- Software >that slanders! Software that publicly called me a spammer!!! And not to >my face, but to business associate. And then took action. > > I recently discovered, and quite by accident, that a FreeBSD ported >package -- spambnc (aka Spambouncer or SB) -- was blocking mail from me >to an unknown number of businesses and individuals on the internet. I'll >probably never have to correspond with most of these people, but I'm a >freelancer -- this may have already cost me a job. [Dear reader, don't >be surprised if you or your clients are also blocked. I strongly suggest >that you check it out.] > > Anti-spam products have a valuable place in the security > arsenal. But, >IMHO, this product is dangerous because it includes filters and rules >that are overreaching, and inaccurate. Bad firewall rules and bad >anti-spam rules may be OK for an individual site. However, spambnc's >bad advice is being mass marketed through the good offices of FreeBSD, >and it is putting potholes in the net for the rest of us. Until it is >fixed, and proven harmless, FreeBSD should stop distributing this product. > > Basically, the default built-in policies for blocking mail aren't > fully >described, and there is no mechanism to universally correct the >inevitable mistakes in a timely manner. Users (people who install this >product) are mislead about the probably of filtering the wrong mail. I >am sure that the software was developed with the very best intentions, >but in its zeal to block lots and lots of spam, SB is hurting good people. > > The SB rule blocking my mail host has nothing to do with me. Even >though, it can use dynamic anti-spam DNS services, SB hard codes its >rules for filtering bad domains by name and by IP address. My nemisis is >buried in a 1476 line file, sb-blockdomains.rc, which installs by >default, and is not documented outside the code. Along with others, it >blocks the entire 66.45.0.0/17 space because spammers might live there. >This is sort of like a corporate mail room throwing away all NJ >postmarked mail because of the bulk mail distribution centers in Secaucus. > > My mail host address gets a clean bill of health from every anti-spam >site that I can find, such as SPEWS. I've checked at least 30 of them. > > My tiny x/29 block is sub-allocated from my DSL provider's x/23 > block. > The DSL provider's block is a sub-allocation from Inflow.com's >66.45.0.0/17 block. Spambouncer doesn't like Inflow. While they have a >right to their opinions, they don't have a right to publicly tar me >because of my neighbors. > > If I read sb-blockdomains # comments correctly, it is policy to not >only block known spammers, but to ALSO block entire networks based on >their handling of spam complaints. This is like as a business >receptionist checking callerID and then ignoring incoming calls from >Verizon subscribers because Verizon tolerates (and probably invented) >telemarketing. > > I have written to both the Spambouncer contact address > and the FreeBSD maintainer, but without a >response. Possibly they are on holiday, or spambouncer is eating my >mail. Perhaps I'm just too impatient. > > I have also contacted my ISP's support. They don't know how to help >me. They vouch for Inflow. They don't recommend it, but for a fee, my >service could be switched to a different PVC, and I'd get an address >from a different carrier. But of course, the new address could be >black-listed on a whim. > > Regardless, I assume that these are reasonable people, and that they >will oil the squeaky wheel as soon as it is convenient. But how will I >ever know that EVERY copy of spambouncer has been fixed? What about >other innocent ISP subscribers who are also black-listed? > >Harry Tabak >QUAD TELECOM, INC. > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message ---------------------------------------------------------------------------------------------------------- Peter Elsner Vice President Of Customer Service (And System Administrator) 1835 S. Carrier Parkway Grand Prairie, Texas 75051 (972) 263-2080 - Voice (972) 263-2082 - Fax (972) 489-4838 - Cell Phone (425) 988-8061 - eFax I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin Unix IS user friendly... It's just selective about who its friends are. System Administration - It's a dirty job, but somebody said I had to do it. If you receive something that says 'Send this to everyone you know, pretend you don't know me. Standard $500/message proofreading fee applies for UCE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 30 7: 7:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFE9437B401 for ; Mon, 30 Dec 2002 07:07:23 -0800 (PST) Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F47A43EC5 for ; Mon, 30 Dec 2002 07:07:23 -0800 (PST) (envelope-from steve@nomad.tor.lets.net) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id AF25AFB5456 for ; Mon, 30 Dec 2002 10:07:11 -0500 (EST) Received: (qmail 48422 invoked by uid 1001); 30 Dec 2002 15:01:41 -0000 Date: Mon, 30 Dec 2002 10:01:41 -0500 From: Steve Shorter To: Elite Bizkit Cc: freebsd-security@FreeBSD.org Subject: Re: FreeBSD Jail Message-ID: <20021230100141.A48412@nomad.lets.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from elite_bizkit@hotmail.com on Mon, Dec 30, 2002 at 01:23:03PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Dec 30, 2002 at 01:23:03PM +0000, Elite Bizkit wrote: > First of all, how do you login to the jail (and logout)? Another question is The same way that you login in to any system. Well, there are restrictions in the jail of course. A common way is to run sshd in a jail and then ssh in. I ussually run sshd and syslogd in the jailed environment, this depends on what you need of course. > if someone manages to get root in the jail what happens if they run "exit", > will they get to the host system or will it just close the jail and their > connection? And finally in the BSDpro article the ports system was mounted "exit". You mean exit a shell? Well, then the shell will exit and the connection may close and then you will still have sshd running in the jail or whatever... > using mount_nfs, surely if you can run this in the jail then you could mount > other directories such as "/etc" and screw around with files on the host > system? You can't run mount in a jail. That doesn't mean that the mounts outside of the jail are all invisible inside. It depends how you set up your chroot environment. One interesting "feature" of NFS mounts is that they can be read/write in the jail but the network they are mounted on can be otherwise inaccessable to the jail. > > Im probably missing something simple here but if anyone could answer any of > the above I would be very greatful :) > Experimenting with jail is fun and probably the best way to learn this stuff. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 30 9:32:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF2A637B401 for ; Mon, 30 Dec 2002 09:32:22 -0800 (PST) Received: from hotmail.com (f104.law10.hotmail.com [64.4.15.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id 759BE43ED1 for ; Mon, 30 Dec 2002 09:32:22 -0800 (PST) (envelope-from elite_bizkit@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 30 Dec 2002 09:31:37 -0800 Received: from 213.208.104.44 by lw10fd.law10.hotmail.msn.com with HTTP; Mon, 30 Dec 2002 17:31:37 GMT X-Originating-IP: [213.208.104.44] From: "Elite Bizkit" To: freebsd-security@FreeBSD.org Subject: one more thing ;) Date: Mon, 30 Dec 2002 17:31:37 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 30 Dec 2002 17:31:37.0679 (UTC) FILETIME=[4E7D7DF0:01C2B029] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi again, thanks for all your help so far :) Im starting to feel at home using the Jail now. Anyway another quick question, when using mount_nfs, does the jail have to be active when i mount to it or can I mount something e.g. the ports, then activate the jail and install some programs? I havnt used sshd before so im looking for ways around it at the moment, ill have to start reading up on it :p - BiZKiT _________________________________________________________________ The new MSN 8: smart spam protection and 3 months FREE*. http://join.msn.com/?page=features/junkmail&xAPID=42&PS=47575&PI=7324&DI=7474&SU= http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_smartspamprotection_3mf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message