From owner-freebsd-security@FreeBSD.ORG Sun Jul 27 04:19:29 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D75C37B401 for ; Sun, 27 Jul 2003 04:19:29 -0700 (PDT) Received: from cicero2.cybercity.dk (cicero2.cybercity.dk [212.242.40.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C2E243F3F for ; Sun, 27 Jul 2003 04:19:28 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from user4.cybercity.dk (fxp0.user4.ip.cybercity.dk [212.242.41.50]) by cicero2.cybercity.dk (Postfix) with ESMTP id 154DD18F428 for ; Sun, 27 Jul 2003 13:19:26 +0200 (CEST) Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user4.cybercity.dk (Postfix) with SMTP id F1AFD127861 for ; Sun, 27 Jul 2003 13:19:24 +0200 (CEST) Date: Sun, 27 Jul 2003 13:28:47 +0200 From: Socketd To: freebsd-security@freebsd.org Message-Id: <20030727132847.5adc6b07.db@traceroute.dk> In-Reply-To: <20030726235710.GD4105@cirb503493.alcatel.com.au> References: <00d601c3539a$91576a40$3501a8c0@pro.sk> <20030726235710.GD4105@cirb503493.alcatel.com.au> X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Multipart_Sun__27_Jul_2003_13:28:47_+0200_0891b600" Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 11:19:29 -0000 This is a multi-part message in MIME format. --Multipart_Sun__27_Jul_2003_13:28:47_+0200_0891b600 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Sun, 27 Jul 2003 09:57:10 +1000 Peter Jeremy wrote: > > But what files REALLY MUST have it ? > > There's no simple answer to this. It's a matter of going through each > file with setuid (or setgid) set, understanding why that file has the > set[gu]id bit and whether you need that functionality. Robert Watson is going through all the setuid files, to see which really need to be setuid. In -CURRENT he has removed the setuid bit from quota. Anyway I have been thinking about writing a program to make the default installation (with "extreme" security) even more secure. I have attached the configuration file, it should explain what the program can do. (not one line of code have been written yet). Btw setting noexec and nosuid on a mount point is a little redundante right? I mean since the user can't execute files, there is no point in also setting nosuid? Best regards Socketd ps: Please remember that the LockDown configuration file is only version 0.1, so nothing is final. --Multipart_Sun__27_Jul_2003_13:28:47_+0200_0891b600 Content-Type: application/octet-stream; name="lockdown.conf" Content-Disposition: attachment; filename="lockdown.conf" Content-Transfer-Encoding: base64 IyBMb2NrZG93biBjb25maWd1cmF0aW9uIGZpbGUKIyBZb3UgY2FuIGZyZWVseSBhZGQgeW91IG93 biBvcHRpb25zIGJ5IHVzaW5nIHRoZSBmb2xsb3dpbmcga2V5d29yZHM6CiMgZGVmaW5lPSIiIF90 ZXh0XwkJV29ya3MgbGlrZSBDL0MrKydzICNkZWZpbmUKIyByY19jb25mPSIiCQkJTWVhbnMgdGhl IHRleHQgd2lsbCBiZSBhZGRlZCB0byAvZXRjL3JjLmNvbmYKIyBzeXNjdGw9IiIJCQlUaGUgdGV4 dCB3aWxsIGJlIGFkZGVkIHRvIC9ldGMvc3lzY3RsLmNvbmYKIyBrZXJuPSIiCQkJVGhlIHRleHQg d2lsbCBiZSBhZGRlZCB0byB5b3VyIGtlcm5lbCBjb25maWd1cmF0aW9uIGZpbGUKIyBtb3VudD0i IgkJCVRoZSB0ZXh0IHdpbGwgYmUgYWRkZWQgdG8gL2V0Yy9mc3RhYgojIGxvZ2luX2NsYXNzPSIi ICIiIAkJVGhlIHRleHQgd2lsbCBiZSBhZGRlZCB0byB0aGUgc3BlY2lmaWVkIGxvZ2luIGNsYXNz CiMgZmlsZSBfbW9kZV8gIiIgX2ZsYWdzXwlXaWxsIGdpdmUgdGhlIGZpbGUgdGhlIG1vZGUgX21v ZGVfIGFuZCBmbGFncyBfZmxhZ3NfCiMgb3BlbnNzaD0iIgkJCVRoZSB0ZXh0IHdpbGwgYmUgYWRk ZWQgdG8gL2V0Yy9zc2gvc3NoZF9jb25maWcgIAoKIyBMb2NrZG93biB3aWxsIG5vdCBzaW1wbHkg YWRkIHRoZSB0ZXh0IHRvIHRoZSBmaWxlcywgaXQgd2lsbCBzZWFyY2gKIyB0aGUgZmlsZSB0byBz ZWUgaWYgdGhlIG9wdGlvbnMgaXMgYWxyZWFkeSB0aGVyZSBhbmQgY2hhbmdlIGl0IGlmIG5lZWRl ZC4KIyBJZiBubyBtYXRjaCBpcyBmb3VuZCB0aGUgdGV4dCB3aWxsIGJlIGFkZGVkLgoKIyBQbGVh c2Ugc3BlY2lmeSBhIGZpbGUgdG8gYWRkIHRoZSBrZXJuZWwgb3B0aW9ucyB0by4Ka2Vybl9maWxl PSIvdXNyL3NyYy9zeXMvaTM4Ni9jb25mL0xPQ0tET1dOIgoKIyBXaGVuIHJlc3RyaWN0aW5nIGFj Y2VzcyB0byBzdWlkLCBnaWQgYW5kIGluZm9ybWF0aW9uIGZpbGVzLAojIHdlIHVzZSAiZGVmaW5l IiB0byBzZXQgdGhlIGZpbGUgbW9kZS4gWW91IGNhbiBhbHNvIHdyaXRlCiMgdGhlIG1vZGUgZGly ZWN0bHkgcHIgZmlsZSBiYXNpYy4KZGVmaW5lPSJub1dvcmxkIiAiMDAwNyIKZGVmaW5lPSJkaXNh YmxlIiAiNzc3NyIKCiMgSGVyZSBhcmUgc29tZSBleHNhbXBsZXMgb2YgaG93IHRvIHVzZSB0aGUg ZmlsZSBvcHRpb25zOgojIGZpbGUgMDAwNyAJIi9ldGMvcmMuY29uZiIKIyBmaWxlIG5vV29ybGQJ Ii9ldGMvcmMuY29uZiIKIyBmaWxlIG5vV29ybGQgCSIvZXRjL3JjLmNvbmYiICJzYXBwbmQsc2No ZyIKIyBkZWZpbmU9ImxvZ0ZpbGUiICJzYXBwbmQsc2NoZyIKIyBmaWxlIG5vV29ybGQgCSIvZXRj L3JjLmNvbmYiIExvZ0ZpbGUKCgojIyMjIyMjIyMjIyMjIyMjIyMjIwojIE1vdW50aW5nIG9wdGlv bnMgIwojIyMjIyMjIyMjIyMjIyMjIyMjIwojIElmIHRoZSBtb3VudCBwb2ludCBleGlzdHMsIG1v dW50IGl0IHdpdGggdGhlIHNwZWNpZmllZCBvcHRpb25zLgojIFBsZWFzZSByZW1lbWJlciB0aGF0 IC90bXAgaGFzIHRvIGJlIGV4ZWN1dGFibGUgdG8gIm1ha2Ugd29ybGQiCiMgYW5kIGlmIHlvdSBu ZWVkIHRvIGphaWwgYSBwcm9jZXNzIGluIGEgcGFydGl0aW9uLCBkb24ndCBtb3VudCBpdCB3aXRo ICJub2RldiIKCm1vdW50PSIvdG1wIiAJCSJub2V4ZWMsIG5vZGV2LCBub3N5bWZvbGxvdyIKbW91 bnQ9Ii92YXIvdG1wIiAJIm5vZXhlYywgbm9kZXYsIG5vc3ltZm9sbG93Igptb3VudD0iL2hvbWUi CQkibm9zdWlkLCBub2RldiIKbW91bnQ9Ii91c3IvaG9tZSIgCSJub3N1aWQsIG5vZGV2Igptb3Vu dD0iL3ZhciIJCSJub3N1aWQsIG5vZGV2Igptb3VudD0iL3Zhci9tYWlsIgkibm9leGVjLCBub2Rl diIKCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIwojIC9ldGMvcmMuY29uZiBvcHRpb25zICMKIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjCiMgVGhpcyB3aWxsIGp1c3QgYWRkIHNvbWUgb3B0aW9ucyB0 byAvZXRjL3JjLmNvbmYKcmNfY29uZj0iZW5hYmxlX3NlbmRtYWlsPSJOT05FIiIKcmNfY29uZj0i a2Vybl9zZWN1cmVsZXZlbF9lbmFibGU9IllFUyIiCnJjX2NvbmY9Imtlcm5fc2VjdXJlbGV2ZWw9 IjMiIgpyY19jb25mPSJjbGVhcl90bXBfZW5hYmxlPSJZRVMiIgojcmNfY29uZj0idXBkYXRlX21v dGQ9Ik5PIiIKcmNfY29uZj0ic3lzbG9nZF9mbGFncz0iLXNzIiIJCSAgICAgLy9VbmNvbW1lbnQg dGhpcyBpZiB0aGlzIGlzIGEgbG9nIHNlcnZlcgoKIyMjIyMjIyMjIyMjIyMjIyMjCiMgU3RlYWx0 aCBzZXJ2ZXIgIwojIyMjIyMjIyMjIyMjIyMjIyMKIyBJZiB0aGlzIGlzIGEgbG9nIHNlcnZlciwg ZmlyZXdhbGwgb3IgZ2F0ZXdheSB5b3UgY2FuIHB1dCBpdCBpbnRvIHN0ZWFsdGggbW9kZS4gCiMg VGhpcyBpcyBOT1QgcmVjb21tZW5kZWQgZm9yIG5vcm1hbCBzZXJ2ZXIgdXNlLgojIE5vdGU6IEZv ciBhIHN0ZWFsdGhpZXIgc2VydmVyIHlvdSBzaG91bGQgYWxzbyBibG9jayBzb21lIGljbXAgcmVx dWVzdCBsaWtlOgojIFBJTkcsIGthanNka2FzZGhsa2FkIAojcmNfY29uZj0idGNwX2Ryb3Bfc3lu ZmluPSJZRVMiIgojc3lzY3RsPSJuZXQuaW5ldC50Y3AuYmxhY2tob2xlPTIiCiNzeXNjdGw9Im5l dC5pbmV0LnVkcC5ibGFja2hvbGU9MSIKI2tlcm49Im9wdGlvbnMJSVBTVEVBTFRIIgoja2Vybj0i b3B0aW9ucwlUQ1BfRFJPUF9TWU5GSU4iCgojIyMjIyMjIyMjIyMjIyMjIyMjIyMjCiMgTmV0d29y a2luZyBvcHRpb25zICMKIyMjIyMjIyMjIyMjIyMjIyMjIyMjIwpyY19jb25mPSJpY21wX2Ryb3Bf cmVkaXJlY3Q9IllFUyIiCnJjX2NvbmY9ImljbXBfbG9nX3JlZGlyZWN0PSJZRVMiIgpyY19jb25m PSJsb2dfaW5fdmFpbj0iWUVTIiIKa2Vybj0ib3B0aW9ucwlSQU5ET01fSVBfSUQiCm9wZW5zc2g9 IkFsbG93R3JvdXBzIHdoZWVsIgpvcGVuc3NoPSJQcm90b2NvbCAyIgojIENyZWF0ZXMgL2V0Yy9m dHB3ZWxjb21lIGFuZCBhZGQgIkJhbm5lciAvZXRjL3dhcm5pbmciIHRvIG9wZW5zc2guIC9ldGMv d2FybmluZyBpcyBhIHN5bWxpbmsgdG8gL2V0Yy9mdHB3ZWxjb21lCnNldF93YXJuaW5nPSJCbGFo IGJsYWggYmxhaCwgc29tZSB3YXJuaW5nLiIKCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCiMgTG9n aW4gQ2xhc3Mgb3B0aW9ucyAjCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCmxvZ2luX2NsYXNzPSJk ZWZhdWx0IiAibWlucGFzc3dvcmRsZW49OCIKbG9naW5fY2xhc3M9ImRlZmF1bHQiICJtaXhwYXNz d29yZGNhc2U9dHJ1ZSIKbG9naW5fY2xhc3M9ImRlZmF1bHQiICJ1bmFtZT0wNzciCiMgQWRkIGNy eXB0X2RlZmF1bHQ9YmxmIGluIC9ldGMvYXV0aC5jb25mIGFuZCBwYXNzd2RfZm9ybWF0PWJsZiB0 byBkZWZhdWx0IGxvZ2luLmNsYXNzCnVzZV9ibG93ZmlzaD0iWUVTIgoKIyMjIyMjIyMjIyMjIyMK IyBSb290IExvZ2luICMKIyMjIyMjIyMjIyMjIyMKbm9fZGlyZWN0X3Jvb3RfbG9naW49IllFUyIJ CQkjIFNldCB0dHkqIGluIC9ldGMvdHR5cyB0byBpbnNlY3VyZQpwYXNzd29yZF9wcm90ZWN0X3Np bmdsZXVzZXJfbW9kZT0iWUVTIgkJIyBTZXQgY29uc29sZSB0byBpbnNlY3VyZSBpbiAvZXRjL3R0 eXMKCiMjIyMjIyMjIyMjIyMjIyMjIyMjIwojIFJlc3RyaWN0IHRoZSB1c2VyICMKIyMjIyMjIyMj IyMjIyMjIyMjIyMjCmFsbG93X2Nyb249Ik5PIgphbGxvd19hdD0iTk8iCnN5c2N0bD0ic2VjdXJp dHkuYnNkLnNlZV9vdGhlcl91aWRzPTAiCQkjIFVzZSBrZXJuLnBzX3Nob3dhbGxwcm9jcyBmb3Ig NC5YCgojIyMjIyMjIyMjIyMjIyMjIyMKIyBLZXJuZWwgb3B0aW9ucyAjCiMjIyMjIyMjIyMjIyMj IyMjIwprZXJuPSJvcHRpb25zCVNDX05PX0hJU1RPUlkiCQkJIyBEb24ndCBrZWVwIGhpc3Rvcnks IHNvIHRoZXJlIGNhbid0IGJlIHNjcm9sbGVkCmtlcm49Im9wdGlvbnMJU0NfRElTQUJMRV9SRUJP T1QiCQkjIERpc2FibGUgY3RybCthbHQrZGVsCiNrZXJuPSJvcHRpb25zCVNDX0RJU0FCTEVfRERC S0VZIiAJCSMgVW5jb21tZW50IGlmIHVzaW5nIHRoZSBrZXJuZWwgZGVidWdnZXIKCiMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIwojIFJlc3RyaWN0IGFjY2VzcyB0byBzdWlkIGZpbGVz ICMKIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCmZpbGUgZGlzYWJsZSAiL2Jpbi9y Y3AiCmZpbGUgbm9Xb3JsZCAiL3NiaW4vbWtzbmFwX2ZmcyIgCmZpbGUgbm9Xb3JsZCAiL3NiaW4v cGluZyIKZmlsZSBub1dvcmxkICIvc2Jpbi9waW5nNiIKZmlsZSBub1dvcmxkICIvc2Jpbi9zaHV0 ZG93biIKZmlsZSBub1dvcmxkICIvdXNyL2Jpbi9hdCIgIApmaWxlIG5vV29ybGQgIi91c3IvYmlu L2F0cSIKZmlsZSBub1dvcmxkICIvdXNyL2Jpbi9hdHJtIgpmaWxlIG5vV29ybGQgIi91c3IvYmlu L2JhdGNoIiAKZmlsZSBub1dvcmxkICIvdXNyL2Jpbi9jaHBhc3MiCmZpbGUgbm9Xb3JsZCAiL3Vz ci9iaW4vY2hmbiIKZmlsZSBub1dvcmxkICIvdXNyL2Jpbi9jaHNoIgpmaWxlIG5vV29ybGQgIi91 c3IvYmluL3lwY2hwYXNzIgpmaWxlIG5vV29ybGQgIi91c3IvYmluL3lwY2hmbiIKZmlsZSBub1dv cmxkICIvdXNyL2Jpbi95cGNoc2giCmZpbGUgbm9Xb3JsZCAiL3Vzci9iaW4vbG9jayIKZmlsZSBu b1dvcmxkICIvdXNyL2Jpbi9sb2dpbiIKZmlsZSBub1dvcmxkICIvdXNyL2Jpbi9vcGllaW5mbyIK ZmlsZSBub1dvcmxkICIvdXNyL2Jpbi9vcGllcGFzc3dkIgpmaWxlIG5vV29ybGQgIi91c3IvYmlu L3Bhc3N3ZCIKZmlsZSBub1dvcmxkICIvdXNyL2Jpbi95cHBhc3N3ZCIKZmlsZSBub1dvcmxkICIv dXNyL2Jpbi9xdW90YSIKZmlsZSBkaXNhYmxlICIvdXNyL2Jpbi9ybG9naW4iCmZpbGUgZGlzYWJs ZSAiL3Vzci9iaW4vcnNoIgpmaWxlIG5vV29ybGQgIi91c3IvYmluL3N1IgpmaWxlIG5vV29ybGQg Ii91c3IvYmluL2Nyb250YWIiCmZpbGUgbm9Xb3JsZCAiL3Vzci9iaW4vbHBxIgpmaWxlIG5vV29y bGQgIi91c3IvYmluL2xwciIKZmlsZSBub1dvcmxkICIvdXNyL2Jpbi9scHJtIgpmaWxlIG5vV29y bGQgIi91c3IvbGliZXhlYy9wdF9jaG93biIKZmlsZSBub1dvcmxkICIvdXNyL3NiaW4vbXJpbmZv IgpmaWxlIG5vV29ybGQgIi91c3Ivc2Jpbi9tdHJhY2UiCmZpbGUgbm9Xb3JsZCAiL3Vzci9zYmlu L3NsaXBsb2dpbiIKZmlsZSBub1dvcmxkICIvdXNyL3NiaW4vdGltZWRjIgpmaWxlIG5vV29ybGQg Ii91c3Ivc2Jpbi90cmFjZXJvdXRlIgpmaWxlIG5vV29ybGQgIi91c3Ivc2Jpbi90cmFjZXJvdXRl NiIKZmlsZSBub1dvcmxkICIvdXNyL3NiaW4vcHBwIgpmaWxlIG5vV29ybGQgIi91c3Ivc2Jpbi9w cHBkIgoKIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKIyBSZXN0cmljdCBhY2Nlc3Mg dG8gZ2lkIGZpbGVzICMKIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKZmlsZSBub1dv cmxkICIvdXNyL2Jpbi9mc3RhdCIKZmlsZSBub1dvcmxkICIvdXNyL2Jpbi9uZXRzdGF0IgpmaWxl IG5vV29ybGQgIi91c3IvYmluL3Ztc3RhdCIKZmlsZSBub1dvcmxkICIvdXNyL2Jpbi93YWxsIgpm aWxlIG5vV29ybGQgIi91c3IvYmluL3dyaXRlIgpmaWxlIG5vV29ybGQgIi91c3IvYmluL2xwcSIK ZmlsZSBub1dvcmxkICIvdXNyL2Jpbi9scHIiCmZpbGUgbm9Xb3JsZCAiL3Vzci9iaW4vbHBybSIK ZmlsZSBub1dvcmxkICIvdXNyL2xpYmV4ZWMvc2VuZG1haWwvc2VuZG1haWwiCmZpbGUgbm9Xb3Js ZCAiL3Vzci9zYmluL3RycHQiCmZpbGUgbm9Xb3JsZCAiL3Vzci9zYmluL2xwYyIKCiMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKIyBSZXN0cmljdCBhY2Nlc3MgdG8gaW5m b3JtYXRpb24gZmlsZXMgIwojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj CiMgaWYgeW91IGNoYW5nZSBwZXJtaXNzaW9ucyBvbiBmaWxlcyBhbHNvIGxpc3RlZCBpbiAvZXRj L25ld3N5c2xvZy5jb25mLCAKIyBMb2NrZG93biB3aWxsIGFsc28gYWRqdXN0IC9ldGMvbmV3c3lz bG9nLmNvbmYgYWNjb3JkaW5nbHkKZmlsZSBub1dvcmxkICIvc2Jpbi9zeXNjdGwiCmZpbGUgbm9X b3JsZCAiL3Vzci9iaW4vdW5hbWUiCmZpbGUgbm9Xb3JsZCAiL3NiaW4va2xkc3RhdCIKI2ZpbGUg bm9Xb3JsZCAiL3Vzci9iaW4vbmV0c3RhdCIJCSNVbmNvbW1lbnQgaWYgdXNpbmcgNC5YCmZpbGUg bm9Xb3JsZCAiL3NiaW4vcm91dGUiCmZpbGUgbm9Xb3JsZCAiL3Vzci9zYmluL2FycCIKZmlsZSBu b1dvcmxkICIvc2Jpbi9kbWVzZyIKZmlsZSBub1dvcmxkICIvdmFyL3J1bi9kbWVzZy5ib290Igpm aWxlIG5vV29ybGQgIi9ldGMvaG9zdHMiCmZpbGUgbm9Xb3JsZCAiL2V0Yy9mc3RhYiIKZmlsZSBu b1dvcmxkICIvZXRjL3NzaC9zc2hkX2NvbmZpZyIKZmlsZSBub1dvcmxkICIvZXRjL2Nyb250YWIi CmZpbGUgbm9Xb3JsZCAiL2V0Yy9mdHB1c2VycyIKZmlsZSBub1dvcmxkICIvZXRjL2hvc3RzLmFs bG93IgpmaWxlIG5vV29ybGQgIi9ldGMvaG9zdC5jb25mIgpmaWxlIG5vV29ybGQgIi9ldGMvaG9z dHMuZXF1aXYiCmZpbGUgbm9Xb3JsZCAiL2V0Yy9ob3N0cy5scGQiCmZpbGUgbm9Xb3JsZCAiL2V0 Yy9pbmV0ZC5jb25mIgpmaWxlIG5vV29ybGQgIi9ldGMvbG9naW4uYWNjZXNzIgpmaWxlIG5vV29y bGQgIi9ldGMvbG9naW4uY29uZiIKZmlsZSBub1dvcmxkICIvZXRjL3N5c2N0bC5jb25mIgpmaWxl IG5vV29ybGQgIi9ldGMvc3lzbG9nLmNvbmYiCmZpbGUgbm9Xb3JsZCAiL2V0Yy90dHlzIgpmaWxl IG5vV29ybGQgIi9ldGMvcmMuY29uZiIKZmlsZSBub1dvcmxkICIvZXRjL21hYy5jb25mIgpmaWxl IG5vV29ybGQgIi9ldGMvZ3JvdXAiCmZpbGUgbm9Xb3JsZCAiL2V0Yy9wYXNzd2QiCmZpbGUgbm9X b3JsZCAiL2V0Yy9uZXdzeXNsb2cuY29uZiIKZmlsZSAwMDA3ICAgICIvZXRjL3BlcmlvZGljLyIK ZmlsZSAwMDA3ICAgICIvdmFyL2RiL3BrZy8iCmZpbGUgbm9Xb3JsZCAiL3Vzci9zYmluL3BrZ192 ZXJzaW9uIgpmaWxlIG5vV29ybGQgIi91c3Ivc2Jpbi9wa2dfaW5mbyIKZmlsZSBub1dvcmxkICIv dXNyL2Jpbi9sYXN0IgpmaWxlIG5vV29ybGQgIi91c3Ivc2Jpbi9sYXN0bG9naW4iCmZpbGUgbm9X b3JsZCAiL3NiaW4vaXBmdyIKZmlsZSBub1dvcmxkICIvc2Jpbi9tb3VudCIKZmlsZSBub1dvcmxk ICIvdXNyL2Jpbi91c2VycyIKZmlsZSBub1dvcmxkICIvdXNyL2Jpbi93IgpmaWxlIG5vV29ybGQg Ii91c3IvYmluL3dobyIKZmlsZSBub1dvcmxkICIvdXNyL2Jpbi9sYXN0Y29tbSIKZmlsZSBub1dv cmxkICIvdXNyL3NiaW4vamxzIg== --Multipart_Sun__27_Jul_2003_13:28:47_+0200_0891b600-- From owner-freebsd-security@FreeBSD.ORG Sun Jul 27 05:26:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE9F137B401 for ; Sun, 27 Jul 2003 05:26:41 -0700 (PDT) Received: from cicero2.cybercity.dk (cicero2.cybercity.dk [212.242.40.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35E1343F75 for ; Sun, 27 Jul 2003 05:26:41 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from user1.cybercity.dk (fxp0.user1.ip.cybercity.dk [212.242.41.34]) by cicero2.cybercity.dk (Postfix) with ESMTP id 33B0E18F43B; Sun, 27 Jul 2003 14:26:39 +0200 (CEST) Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user1.cybercity.dk (Postfix) with SMTP id 2ABE368ADB; Sun, 27 Jul 2003 14:26:38 +0200 (CEST) Date: Sun, 27 Jul 2003 14:36:00 +0200 From: Socketd To: hawkeyd@visi.com, freebsd-security@freebsd.org Message-Id: <20030727143600.1517c588.db@traceroute.dk> In-Reply-To: <20030727112933.GA6135@sheol.localdomain> References: <00d601c3539a$91576a40$3501a8c0@pro.sk> <20030726235710.GD4105@cirb503493.alcatel.com.au> <20030727132847.5adc6b07.db@traceroute.dk> <20030727112933.GA6135@sheol.localdomain> X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 12:26:42 -0000 On Sun, 27 Jul 2003 06:29:33 -0500 D J Hawkey Jr wrote: > This looks like a good idea, to me. Great :-) > Your plan is to incorporate this into/for rc.conf, and your program > would be run at boot? It is meant to be installed from the port collection and then executed once, but you can of course run it as many times you want (but if you haven't changed the sytem, since the last time you ran it, this makes no sense). > What language do you think you'll use (hopefully, > something supported by the base OS, e.g., not ruby, modula, or perl)? I use C++ br db From owner-freebsd-security@FreeBSD.ORG Sun Jul 27 05:51:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 067BB37B404 for ; Sun, 27 Jul 2003 05:51:39 -0700 (PDT) Received: from conn.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1196543FD7 for ; Sun, 27 Jul 2003 05:51:38 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by conn.mc.mpls.visi.com (Postfix) with ESMTP id 3DA528291; Sun, 27 Jul 2003 07:51:37 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id h6RCpaJ10453; Sun, 27 Jul 2003 07:51:36 -0500 (CDT) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Sun, 27 Jul 2003 07:51:36 -0500 From: D J Hawkey Jr To: Socketd Message-ID: <20030727125136.GA6810@sheol.localdomain> References: <00d601c3539a$91576a40$3501a8c0@pro.sk> <20030726235710.GD4105@cirb503493.alcatel.com.au> <20030727132847.5adc6b07.db@traceroute.dk> <20030727112933.GA6135@sheol.localdomain> <20030727143600.1517c588.db@traceroute.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030727143600.1517c588.db@traceroute.dk> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 12:51:39 -0000 CC'ing security@ now, since you did. On Jul 27, at 02:36 PM, Socketd wrote: > > On Sun, 27 Jul 2003 06:29:33 -0500 > D J Hawkey Jr wrote: > > > Your plan is to incorporate this into/for rc.conf, and your program > > would be run at boot? > > It is meant to be installed from the port collection and then executed > once, but you can of course run it as many times you want (but if you > haven't changed the sytem, since the last time you ran it, this makes no > sense). Would you consider my above suggestion? It could certainly be installed from the ports collection, but it would be most useful to me (and p'raps others?) as a boot-time thang. Think of dedicated firewalls and routers, especially those that boot from custom CDs [and p'raps read floppies for "volatile" configuration]. In my mind, the conf could be installed as /etc/rc.whatever, and the program could be installed as /usr/local/etc/rc.d/whatever. In this way, it'd be run on boot, and could be run anytime as "/usr/local/etc/rc.d/whatever start", and p'raps as a cronjob, too. I'm thinking of rootkits and whatnot that drop a SUID/SGID program on a box and force a reboot to "kick it in". Your program, by enforcing the "rules" in the conf, could remove the exec bits on the trojan, or just blow the trojan away. I realize I might be widening the scope here... Were you to go this way, I could see where Core might consider adding your work into the base? I'd lobby for it. :-) > > What language do you think you'll use (hopefully, > > something supported by the base OS, e.g., not ruby, modula, or perl)? > > I use C++ Oh. I was hoping you'd answer "shell script" (my preference, for quick 'n easy modification), or "C". Just some suggestions, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Sun Jul 27 06:38:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F1DB37B401 for ; Sun, 27 Jul 2003 06:38:02 -0700 (PDT) Received: from ns.pro.sk (proxy.pro.sk [195.80.161.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB59B43F75 for ; Sun, 27 Jul 2003 06:37:59 -0700 (PDT) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.11.3/8.11.3) with SMTP id h6RDbtE02541; Sun, 27 Jul 2003 15:37:55 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <002401c35444$36d146e0$3501a8c0@pro.sk> From: "Peter Rosa" To: "twig les" References: <20030727041708.95094.qmail@web10104.mail.yahoo.com> Date: Sun, 27 Jul 2003 15:37:24 +0200 Organization: PRO, s.r.o. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 cc: FreeBSD Security Subject: Re: suid bit files + securing FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 13:38:02 -0000 Absolutely perfect. Fantastic. Exactly the type of information, I looked a long time ago. Meny tkanks and have a nice day. Peter Rosa ----- Original Message ----- From: "twig les" To: "Peter Rosa" ; "FreeBSD Security" Sent: Sunday, July 27, 2003 6:17 AM Subject: Re: suid bit files + securing FreeBSD > I don't know exactly what you mean by "wizard", maybe a > menu-driven gui like Nero or M$ Lookout or something? Anyhoo I > really like this checklist here: > http://sddi.net/FBSDSecCheckList.html. I guess one could script > a lot of this. This page also has a boatload of links at the > bottom. > > As for perfect security I like to run Sendmail and BIND on > RedHat myself, unless I can get my hands on an IIS box. woot! > Sorry, it's late Saturday, thus I'm feeling mischievous. > > > > > Second question is: Has anybody an exact wizard, how to secure > > the FreeBSD machine. Imagine the situation, the only person > > who > > can do anything on that machine is me, and nobody other. I > > have > > set very restrictive firewalling, I have removed ALL tty's > > except > > two local tty's (I need to work on that machine), but there > > are > > still open port 25 and 53 (must be forever), so someone very > > tricky can compromite my machine. > > > > I'm a little bit paranoic, don't I :-))))))) > > > > Cheers, > > > > Peter Rosa > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > > ===== > ----------------------------------------------------------- > Emo is what happens when the glee club goes punk. > ----------------------------------------------------------- > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sun Jul 27 06:43:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0A1737B404 for ; Sun, 27 Jul 2003 06:43:19 -0700 (PDT) Received: from cicero1.cybercity.dk (cicero1.cybercity.dk [212.242.40.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB44143FAF for ; Sun, 27 Jul 2003 06:43:18 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from user5.cybercity.dk (fxp0.user5.ip.cybercity.dk [212.242.41.51]) by cicero1.cybercity.dk (Postfix) with ESMTP id BE8365C4941; Sun, 27 Jul 2003 15:43:16 +0200 (CEST) Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user5.cybercity.dk (Postfix) with SMTP id E562556341; Sun, 27 Jul 2003 15:43:15 +0200 (CEST) Date: Sun, 27 Jul 2003 15:52:39 +0200 From: Socketd To: hawkeyd@visi.com, security@freebsd.org Message-Id: <20030727155239.3205a60b.db@traceroute.dk> In-Reply-To: <20030727125136.GA6810@sheol.localdomain> References: <00d601c3539a$91576a40$3501a8c0@pro.sk> <20030726235710.GD4105@cirb503493.alcatel.com.au> <20030727132847.5adc6b07.db@traceroute.dk> <20030727112933.GA6135@sheol.localdomain> <20030727143600.1517c588.db@traceroute.dk> <20030727125136.GA6810@sheol.localdomain> X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 13:43:20 -0000 On Sun, 27 Jul 2003 07:51:36 -0500 D J Hawkey Jr wrote: > CC'ing security@ now, since you did. Oh sorry, didn't see that you only replied to me :-) > Would you consider my above suggestion? > It could certainly be installed from the ports collection, but it > would be most useful to me (and p'raps others?) as a boot-time thang. > Think of dedicated firewalls and routers, especially those that boot > from custom CDs [and p'raps read floppies for "volatile" > configuration]. > > In my mind, the conf could be installed as /etc/rc.whatever, and the > program could be installed as /usr/local/etc/rc.d/whatever. In this > way, it'd be run on boot, and could be run anytime as > "/usr/local/etc/rc.d/whatever start", and p'raps as a cronjob, too. Ah, good idea! > I'm thinking of rootkits and whatnot that drop a SUID/SGID program on > a box and force a reboot to "kick it in". Your program, by enforcing > the"rules" in the conf, could remove the exec bits on the trojan, or > just blow the trojan away. I realize I might be widening the scope > here... Hmm, if an attacker got root and installed a rootkit LockDown would be of no help. LockDown was meant to automatically setup a secure machine using the facilities that are already in the base system, but you gave me an idea! LockDown could search for ALL suid and gid files and set the permissions accordingly to the conf file, the files not listed there would be disabled (or set to a user specified default). But then again, if an admin installs a port with suid files and forget to add them to the LockDown conf file, they would be disabled the next time LockDown is executed. I have also thought about adding these options: 1. More kernel help, so you quickly can setup a kernel: kern_using_RAID="" YES if you are using raid hardware kern_using_SCSI="" YES if you are using SCSI hardware kern_using_IPv6="" YES if you want to use IPv6 kern_using_proc="" YES if you want to use /proc kern_NIC="" The nic's you use. 2. Support for most of the files in /etc (and other?) 3. Give security adwise: 1. Setting up different daemons 2. What ports to install 3. How to setup scripts to be used with cron and what to include in them > Were you to go this way, I could see where Core might consider adding > your work into the base? I'd lobby for it. :-) My code in the base system...oh I don't even dare think the beautiful thought ;-) > > I use C++ > > Oh. I was hoping you'd answer "shell script" (my preference, for quick > 'n easy modification), or "C". Well, it could be written as a shell script, but I only know C++. If someone want to join this project and write the shell script, I would be happy to help with the overall design and documentation. br socketd From owner-freebsd-security@FreeBSD.ORG Sun Jul 27 06:45:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0193837B401 for ; Sun, 27 Jul 2003 06:45:08 -0700 (PDT) Received: from ns.pro.sk (proxy.pro.sk [195.80.161.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5470843F3F for ; Sun, 27 Jul 2003 06:45:06 -0700 (PDT) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.11.3/8.11.3) with SMTP id h6RDj3E02571; Sun, 27 Jul 2003 15:45:04 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <004c01c35445$3603c840$3501a8c0@pro.sk> From: "Peter Rosa" To: "Socketd" References: <00d601c3539a$91576a40$3501a8c0@pro.sk><20030726235710.GD4105@cirb503493.alcatel.com.au> <20030727132847.5adc6b07.db@traceroute.dk> Date: Sun, 27 Jul 2003 15:44:33 +0200 Organization: PRO, s.r.o. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 cc: FreeBSD Security Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 13:45:08 -0000 It sounds very good... Event more to write it... I'm sorry, I can not help you as I'm not programmer (some basics only). Good luck with your plan and, please, announce it here atfter finishing. Best regards Peter Rosa ----- Original Message ----- From: "Socketd" To: Sent: Sunday, July 27, 2003 1:28 PM Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) > On Sun, 27 Jul 2003 09:57:10 +1000 > Peter Jeremy wrote: > > > > But what files REALLY MUST have it ? > > > > There's no simple answer to this. It's a matter of going through each > > file with setuid (or setgid) set, understanding why that file has the > > set[gu]id bit and whether you need that functionality. > > Robert Watson is going through all the setuid files, to see which really > need to be setuid. In -CURRENT he has removed the setuid bit from quota. > > Anyway I have been thinking about writing a program to make the default > installation (with "extreme" security) even more secure. I have attached > the configuration file, it should explain what the program can do. (not > one line of code have been written yet). > > Btw setting noexec and nosuid on a mount point is a little redundante > right? I mean since the user can't execute files, there is no point in > also setting nosuid? > > Best regards > Socketd > > ps: Please remember that the LockDown configuration file is only version > 0.1, so nothing is final. > ---------------------------------------------------------------------------- ---- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sun Jul 27 07:00:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5141937B4C6 for ; Sun, 27 Jul 2003 07:00:23 -0700 (PDT) Received: from cicero0.cybercity.dk (cicero0.cybercity.dk [212.242.40.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9454643F85 for ; Sun, 27 Jul 2003 07:00:22 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from user1.cybercity.dk (fxp0.user1.ip.cybercity.dk [212.242.41.34]) by cicero0.cybercity.dk (Postfix) with ESMTP id D521728BB7; Sun, 27 Jul 2003 16:00:20 +0200 (CEST) Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user1.cybercity.dk (Postfix) with SMTP id 4655668AD9; Sun, 27 Jul 2003 16:00:20 +0200 (CEST) Date: Sun, 27 Jul 2003 16:09:43 +0200 From: Socketd To: "Peter Rosa" , security@freebsd.org Message-Id: <20030727160943.289e6bd2.db@traceroute.dk> In-Reply-To: <004c01c35445$3603c840$3501a8c0@pro.sk> References: <00d601c3539a$91576a40$3501a8c0@pro.sk> <20030726235710.GD4105@cirb503493.alcatel.com.au> <20030727132847.5adc6b07.db@traceroute.dk> <004c01c35445$3603c840$3501a8c0@pro.sk> X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 14:00:24 -0000 On Sun, 27 Jul 2003 15:44:33 +0200 "Peter Rosa" wrote: > It sounds very good... Event more to write it... > I'm sorry, I can not help you as I'm not programmer (some basics > only). > > Good luck with your plan and, please, announce it here atfter > finishing. Sure will :-) br socketd From owner-freebsd-security@FreeBSD.ORG Sun Jul 27 08:29:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A78E737B404 for ; Sun, 27 Jul 2003 08:29:26 -0700 (PDT) Received: from conn.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E80043F85 for ; Sun, 27 Jul 2003 08:29:25 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by conn.mc.mpls.visi.com (Postfix) with ESMTP id C1B8982FA; Sun, 27 Jul 2003 10:29:24 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id h6RFTOn15034; Sun, 27 Jul 2003 10:29:24 -0500 (CDT) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Sun, 27 Jul 2003 10:29:23 -0500 From: D J Hawkey Jr To: Socketd Message-ID: <20030727152923.GA14224@sheol.localdomain> References: <00d601c3539a$91576a40$3501a8c0@pro.sk> <20030726235710.GD4105@cirb503493.alcatel.com.au> <20030727132847.5adc6b07.db@traceroute.dk> <20030727112933.GA6135@sheol.localdomain> <20030727143600.1517c588.db@traceroute.dk> <20030727125136.GA6810@sheol.localdomain> <20030727155239.3205a60b.db@traceroute.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030727155239.3205a60b.db@traceroute.dk> User-Agent: Mutt/1.4.1i cc: security@freebsd.org Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 15:29:27 -0000 On Jul 27, at 03:52 PM, Socketd wrote: > > On Sun, 27 Jul 2003 07:51:36 -0500 > D J Hawkey Jr wrote: > > > It could certainly be installed from the ports collection, but it > > would be most useful to me (and p'raps others?) as a boot-time thang. > > Think of dedicated firewalls and routers, especially those that boot > > from custom CDs [and p'raps read floppies for "volatile" > > configuration]. > > > > In my mind, the conf could be installed as /etc/rc.whatever, and the > > program could be installed as /usr/local/etc/rc.d/whatever. In this > > way, it'd be run on boot, and could be run anytime as > > "/usr/local/etc/rc.d/whatever start", and p'raps as a cronjob, too. > > Ah, good idea! > > LockDown could search for ALL suid and gid files and set the > permissions accordingly to the conf file, the files not listed there > would be disabled (or set to a user specified default)... Now you're thinking along the lines I'm thinking. Something of a system hyper- or super-visor. > ...But then again, > if an admin installs a port with suid files and forget to add them to > the LockDown conf file, they would be disabled the next time LockDown is > executed. We-ell, the admin ought not forget that, eh? ;-, The program could notify the admin in some manner or another when it disables something - I've written a few scripts that mail a cell 'phone or pager when they do something that should be known of when it happens. A log entry via syslogd(8) is mandatory, of course. > I have also thought about adding these options: > 1. More kernel help, so you quickly can setup a kernel: > kern_using_RAID="" YES if you are using raid hardware > kern_using_SCSI="" YES if you are using SCSI hardware > kern_using_IPv6="" YES if you want to use IPv6 > kern_using_proc="" YES if you want to use /proc > kern_NIC="" The nic's you use. > > 2. Support for most of the files in /etc (and other?) > > 3. Give security adwise: > 1. Setting up different daemons > 2. What ports to install > 3. How to setup scripts to be used with cron and what to > include in them I wouldn't go too far "out of scope" too fast; you might end up re-writing Tripwire! I do like the idea of checking /etc... maybe... using cksum(1), or something like that. I currently use local periodic(8) scripts, similar to /etc/periodic/daily/2*, that backs up /etc, /etc/mail, and /etc/namedb. Regarding the above comment about forgetful admins, they also have to remember to update Tripwire's config file(s), don'tcha know. > > Were you to go this way, I could see where Core might consider adding > > your work into the base? I'd lobby for it. :-) > > My code in the base system...oh I don't even dare think the beautiful > thought ;-) NOTE: I'm not a committer! I only mention the possibility; I can't make it so. > > > I use C++ > > > > Oh. I was hoping you'd answer "shell script" (my preference, for quick > > 'n easy modification), or "C". > > Well, it could be written as a shell script, but I only know C++. If > someone want to join this project and write the shell script, I would be > happy to help with the overall design and documentation. I've gotten pretty fluent with sh(1), awk(1), and sed(1). I could pro'lly write what you envision in a shell script. I wouldn't want to re-write a C++ program though; I'm not well versed in C++'s "nuances". Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Sun Jul 27 09:46:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49C6237B401 for ; Sun, 27 Jul 2003 09:46:12 -0700 (PDT) Received: from cicero2.cybercity.dk (cicero2.cybercity.dk [212.242.40.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C23943FBF for ; Sun, 27 Jul 2003 09:46:11 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from user2.cybercity.dk (fxp0.user2.ip.cybercity.dk [212.242.41.35]) by cicero2.cybercity.dk (Postfix) with ESMTP id 580F218F4AE; Sun, 27 Jul 2003 18:46:09 +0200 (CEST) Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user2.cybercity.dk (Postfix) with SMTP id 561CB186A3; Sun, 27 Jul 2003 18:46:08 +0200 (CEST) Date: Sun, 27 Jul 2003 18:55:32 +0200 From: Socketd To: hawkeyd@visi.com, security@freebsd.org Message-Id: <20030727185532.70c0b4b9.db@traceroute.dk> In-Reply-To: <20030727152923.GA14224@sheol.localdomain> References: <00d601c3539a$91576a40$3501a8c0@pro.sk> <20030726235710.GD4105@cirb503493.alcatel.com.au> <20030727132847.5adc6b07.db@traceroute.dk> <20030727112933.GA6135@sheol.localdomain> <20030727143600.1517c588.db@traceroute.dk> <20030727125136.GA6810@sheol.localdomain> <20030727155239.3205a60b.db@traceroute.dk> <20030727152923.GA14224@sheol.localdomain> X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 16:46:12 -0000 On Sun, 27 Jul 2003 10:29:23 -0500 D J Hawkey Jr wrote: > > LockDown could search for ALL suid and gid files and set the > > permissions accordingly to the conf file, the files not listed there > > would be disabled (or set to a user specified default)... > > Now you're thinking along the lines I'm thinking. Something of a > system hyper- or super-visor. Well I don't know if we are thinking along the same lines. LockDown is not meant to be an IDS or system monitor program, just a quick secure setup helper. > I do like the idea of checking /etc... maybe... using cksum(1), or > something like that. I currently use local periodic(8) scripts, > similar to /etc/periodic/daily/2*, that backs up /etc, /etc/mail, and > /etc/namedb. By /etc support I meant options like rc_conf, login_class and openssh for "all" files in /etc > NOTE: I'm not a committer! I only mention the possibility; I can't > make it so. Hehe, I know :-) > I've gotten pretty fluent with sh(1), awk(1), and sed(1). I could > pro'lly write what you envision in a shell script. I wouldn't want to > re-write a C++ program though; I'm not well versed in C++'s "nuances". The program is really easy to write since it only change file permissions and add text to some files in /etc (and other easy to write stuff) br socketd From owner-freebsd-security@FreeBSD.ORG Sun Jul 27 23:48:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 452DA37B401 for ; Sun, 27 Jul 2003 23:48:12 -0700 (PDT) Received: from haggis.it.ca (haggis.it.ca [216.126.86.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 694B043F75 for ; Sun, 27 Jul 2003 23:48:11 -0700 (PDT) (envelope-from paul@haggis.it.ca) Received: from haggis.it.ca (paul@localhost [127.0.0.1]) by haggis.it.ca (8.12.9/8.12.9) with ESMTP id h6S6lT5X032689 for ; Mon, 28 Jul 2003 02:47:29 -0400 (EDT) (envelope-from paul@haggis.it.ca) Received: (from paul@localhost) by haggis.it.ca (8.12.9/8.12.6/Submit) id h6S6lTN6032688 for freebsd-security@freebsd.org; Mon, 28 Jul 2003 02:47:29 -0400 (EDT) (envelope-from paul) Date: Mon, 28 Jul 2003 02:47:29 -0400 From: Paul Chvostek To: freebsd-security@freebsd.org Message-ID: <20030728064729.GA30191@mail.it.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: ssh and X11Forwarding X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2003 06:48:12 -0000 What has to be installed on a host for it to do X11Forwarding in SSH? My (FreeBSD) workstation at home is behind NAT. From home, I can SSH to a FreeBSD firewall at work, and from there I can get to other hosts around the internal network there, some of which run X clients. Does X have to be installed *on the firewall* for me to forward X11 connections from the X clients back to my workstation at home? Thanks. :) -- Paul Chvostek Operations / Abuse / Whatever it.canada, hosting and development http://www.it.ca/ From owner-freebsd-security@FreeBSD.ORG Mon Jul 28 00:47:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC64337B401 for ; Mon, 28 Jul 2003 00:47:32 -0700 (PDT) Received: from dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D6CA43FB1 for ; Mon, 28 Jul 2003 00:47:32 -0700 (PDT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 67008 invoked by uid 1000); 28 Jul 2003 07:47:28 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Jul 2003 07:47:28 -0000 Date: Mon, 28 Jul 2003 00:47:28 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: Paul Chvostek In-Reply-To: <20030728064729.GA30191@mail.it.ca> Message-ID: <20030728003941.C77638@walter> References: <20030728064729.GA30191@mail.it.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: ssh and X11Forwarding X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2003 07:47:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > What has to be installed on a host for it to do X11Forwarding in SSH? > Does X have to be installed *on the firewall* for me to forward X11 > connections from the X clients back to my workstation at home? Depends on how you're ssh'ing. If you're ssh'ing from your box to the firewall, and from the firewall to the target, then you'll need x support on all the boxes, yes. However, if you're doing the right thing and ssh'ing _through_ the firewall to the target host (eg, with openssh's ProxyCommand option, or with multiple ssh's and port forwards), then you only need x support on your machine and the target machine. I think that "x support" consists of xauth and whatever libraries are needed by the binary you want to run. The topically interesting part of this question is the issue of how you handle multiple ssh hops - I think that most people don't know about ProxyCommand, and when they have to ssh through multiple machines, they just go from one to the next to the next, which is bad, security-wise, not to mention less powerful. Is this worth a faq entry? -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/JNUQswXMWWtptckRAqyaAKCNIxxhNOn0FFqNHV1x/VfXZQlu2wCfXmwm R0dDztX2i0wokIAB4VyYDvI= =R0GQ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Jul 28 11:38:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF1BD37B404 for ; Mon, 28 Jul 2003 11:38:53 -0700 (PDT) Received: from smtp.melim.com.br (aririba.melim.com.br [200.215.110.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A4A443F85 for ; Mon, 28 Jul 2003 11:38:48 -0700 (PDT) (envelope-from ronan@melim.com.br) Received: from fazendinha (ressacada.melim.com.br [200.180.44.4]) by smtp.melim.com.br (Postfix) with ESMTP id 013D3FC9B for ; Mon, 28 Jul 2003 15:38:39 -0300 (EST) Message-ID: <016201c35537$b6a673b0$3aa8a8c0@melim.com.br> From: "Ronan Lucio" To: Date: Mon, 28 Jul 2003 15:40:27 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: IPSec X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2003 18:38:54 -0000 Hi All, I need to configure a VPN between a FreeBSD-4.8 box and a Linux (FreeS/WAN) box. In the Linux side, the network administrator installed FreeS/WAN with RSA authentication without IKE support. Does anybody knows if is possible to make my FreeBSD box connect a VPN with the Linux box? If so, could point me to a documentation about how to install IPSec with RSA authentication and how to make it work with FreeS/WAN? I have already read the pages on the sites www.freeswan.org and www.kame.org but I didnīt find it. Thankīs Ronan From owner-freebsd-security@FreeBSD.ORG Mon Jul 28 11:50:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2E2A37B401 for ; Mon, 28 Jul 2003 11:50:26 -0700 (PDT) Received: from smtp.melim.com.br (aririba.melim.com.br [200.215.110.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5338843F85 for ; Mon, 28 Jul 2003 11:50:26 -0700 (PDT) (envelope-from ronan@melim.com.br) Received: from fazendinha (ressacada.melim.com.br [200.180.44.4]) by smtp.melim.com.br (Postfix) with ESMTP id A7B1FFD86 for ; Mon, 28 Jul 2003 10:58:26 -0300 (EST) Message-ID: <027e01c35511$23121b20$3aa8a8c0@melim.com.br> From: "Ronan Lucio" To: Date: Mon, 28 Jul 2003 11:04:18 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: IPSec X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2003 18:50:27 -0000 Hi All, I need to configure a VPN between a FreeBSD-4.8 box and a Linux (FreeS/WAN) box. In the Linux side, the network administrator installed FreeS/WAN with RSA authentication without IKE support. Does anybody knows if is possible to make my FreeBSD box connect a VPN with the Linux box? If so, could point me to a documentation about how to install IPSec with RSA authentication and how to make it work with FreeS/WAN? I have already read the pages on the sites www.freeswan.org and www.kame.org but I didnīt find it. Thankīs Ronan From owner-freebsd-security@FreeBSD.ORG Mon Jul 28 12:40:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17A6937B401 for ; Mon, 28 Jul 2003 12:40:45 -0700 (PDT) Received: from smtp.melim.com.br (aririba.melim.com.br [200.215.110.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFECF43F75 for ; Mon, 28 Jul 2003 12:40:43 -0700 (PDT) (envelope-from ronan@melim.com.br) Received: from fazendinha (ressacada.melim.com.br [200.180.44.4]) by smtp.melim.com.br (Postfix) with ESMTP id 4A283FE75 for ; Thu, 24 Jul 2003 08:43:45 -0300 (EST) Message-ID: <007401c351d9$a6581790$3aa8a8c0@melim.com.br> From: "Ronan Lucio" To: Date: Thu, 24 Jul 2003 08:49:33 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: IPSec X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2003 19:40:45 -0000 Hi All, I need to configure a VPN between a FreeBSD-4.8 box and a Linux (FreeS/WAN) box. In the Linux side, the network administrator installed FreeS/WAN with RSA authentication. Does anybody knows if is possible to make my FreeBSD box connect a VPN with the Linux box? If so, could point me to a documentation about how to install IPSec with RSA authentication and how to make it work with FreeS/WAN? I have already read the pages on the sites www.freeswan.org and www.kame.org but I didnīt find it. Thankīs Ronan From owner-freebsd-security@FreeBSD.ORG Mon Jul 28 12:40:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3837337B404 for ; Mon, 28 Jul 2003 12:40:45 -0700 (PDT) Received: from smtp.melim.com.br (smtp.melim.com.br [200.215.110.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 052BF43F85 for ; Mon, 28 Jul 2003 12:40:44 -0700 (PDT) (envelope-from ronan@melim.com.br) Received: from fazendinha (ressacada.melim.com.br [200.180.44.4]) by smtp.melim.com.br (Postfix) with ESMTP id 189FFFEB2 for ; Wed, 23 Jul 2003 20:49:07 -0300 (EST) Message-ID: <012501c35175$ce366280$3aa8a8c0@melim.com.br> From: "Ronan Lucio" To: Date: Wed, 23 Jul 2003 20:54:50 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: IPSec X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2003 19:40:45 -0000 Hi All, I need to configure a VPN between a FreeBSD-4.8 box and a Linux (FreeS/WAN) box. In the Linux side, the network administrator installed FreeS/WAN with RSA authentication. Does anybody knows if is possible to make my FreeBSD box connect a VPN with the Linux box? If so, could point me to a documentation about how to install IPSec with RSA authentication and how to make it work with FreeS/WAN? I have already read the pages on the sites www.freeswan.org and www.kame.org but I didnīt find it. Thankīs Ronan From owner-freebsd-security@FreeBSD.ORG Mon Jul 28 14:18:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C29437B401 for ; Mon, 28 Jul 2003 14:18:34 -0700 (PDT) Received: from fep2.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C7C543F75 for ; Mon, 28 Jul 2003 14:18:33 -0700 (PDT) (envelope-from ph1@cogeco.ca) Received: from cogeco.ca (d141-223-207.home.cgocable.net [24.141.223.207]) by fep2.cogeco.net (Postfix) with ESMTP id 8E54C32BA for ; Mon, 28 Jul 2003 17:18:32 -0400 (EDT) Message-ID: <3F259359.9000109@cogeco.ca> Date: Mon, 28 Jul 2003 17:19:21 -0400 From: David User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <016201c35537$b6a673b0$3aa8a8c0@melim.com.br> In-Reply-To: <016201c35537$b6a673b0$3aa8a8c0@melim.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: IPSec X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2003 21:18:34 -0000 Ronan Lucio wrote: > Hi All, > > I need to configure a VPN between a FreeBSD-4.8 box and > a Linux (FreeS/WAN) box. > > In the Linux side, the network administrator installed FreeS/WAN > with RSA authentication without IKE support. > > Does anybody knows if is possible to make my FreeBSD box > connect a VPN with the Linux box? > If so, could point me to a documentation about how to install > IPSec with RSA authentication and how to make it work with > FreeS/WAN? > > I have already read the pages on the sites www.freeswan.org > and www.kame.org but I didnīt find it. > > Thankīs > Ronan Did you really need to ask 4 times? From owner-freebsd-security@FreeBSD.ORG Mon Jul 28 14:25:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B945E37B401 for ; Mon, 28 Jul 2003 14:25:04 -0700 (PDT) Received: from smtp.melim.com.br (smtp.melim.com.br [200.215.110.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9C1F43F85 for ; Mon, 28 Jul 2003 14:25:03 -0700 (PDT) (envelope-from ronan@melim.com.br) Received: from fazendinha (ressacada.melim.com.br [200.180.44.4]) by smtp.melim.com.br (Postfix) with ESMTP id A265FFB99; Mon, 28 Jul 2003 18:25:00 -0300 (EST) Message-ID: <01f901c3554e$f4e8bf90$3aa8a8c0@melim.com.br> From: "Ronan Lucio" To: "David" , References: <016201c35537$b6a673b0$3aa8a8c0@melim.com.br> <3F259359.9000109@cogeco.ca> Date: Mon, 28 Jul 2003 18:26:49 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: IPSec X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2003 21:25:05 -0000 > Did you really need to ask 4 times? No, Iīm sorry list. It was a mistake. My server wasnīt sending messages to security@freebsd.org because it had no reverso DNS. When I found out and make it work, all message in the queue were sent, too... :-/ Sorry, Ronan From owner-freebsd-security@FreeBSD.ORG Tue Jul 29 00:13:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FBC137B401 for ; Tue, 29 Jul 2003 00:13:59 -0700 (PDT) Received: from mail-pm.star.spb.ru (mail-pm.star.spb.ru [217.195.82.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A73243F85 for ; Tue, 29 Jul 2003 00:13:58 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from pink.star.spb.ru ([217.195.82.10]) by mail-pm.star.spb.ru (8.12.9/8.12.8) with ESMTP id h6T7DsPW029498; Tue, 29 Jul 2003 11:13:55 +0400 (MSD) Received: from IBMKA ([217.195.82.7]) by pink.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id PQJDXHGT; Tue, 29 Jul 2003 11:13:55 +0400 Date: Tue, 29 Jul 2003 11:14:29 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal X-Priority: 3 (Normal) Message-ID: <198404259915.20030729111429@internethelp.ru> To: "Ronan Lucio" In-reply-To: <016201c35537$b6a673b0$3aa8a8c0@melim.com.br> References: <016201c35537$b6a673b0$3aa8a8c0@melim.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: IPSec X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Nickolay A. Kritsky" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2003 07:13:59 -0000 Hello Ronan, Monday, July 28, 2003, 10:40:27 PM, you wrote: RL> Hi All, RL> I need to configure a VPN between a FreeBSD-4.8 box and RL> a Linux (FreeS/WAN) box. Never did this thing, but it seems to me that this topic was discussed on this list quite often. Try to search mailing list archives on www.freebsd.org ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru From owner-freebsd-security@FreeBSD.ORG Tue Jul 29 00:52:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9346F37B401 for ; Tue, 29 Jul 2003 00:52:38 -0700 (PDT) Received: from srvexch1.nanoteq.co.za (srvexch1.nanoteq.co.za [196.30.152.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8A7C43F93 for ; Tue, 29 Jul 2003 00:52:35 -0700 (PDT) (envelope-from PK@nanoteq.com) X-MIMEOLE: Produced By Microsoft Exchange V6.0.4712.0 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 29 Jul 2003 09:49:49 +0200 Message-ID: <5AC9A01A8B1175418B4DF7F45DD94D5F1E8A60@srvexch1.nanoteq.co.za> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPSec Thread-Index: AcNVNyz0kWQJK4GLTMSL2ReMc8d3KgAa4XVA From: "Peut Kotze" To: "Ronan Lucio" , Subject: RE: IPSec X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2003 07:52:38 -0000 Apart from the mailing lists, here are a few sites that may help as well: FreeBSD/racoon with FreeS/WAN for Linux http://www.ipv6.iabg.de/download/Interop_Report_6Wind_BSD_FS_v0_2.pdf FreeBSD using x509 certificates with Win2k and FreeS/WAN: http://www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO.html FreeBSD with Windows 2000/XP http://www.wiretapped.net/~fyre/ipsec FreeBSD and Checkpoint VPN-1/FW1 http://restricted.dyndns.org/freebsd And naturally, you can Google up a lot more... Hope it Helps Peut -----Original Message----- From: Ronan Lucio [mailto:ronan@melim.com.br] Sent: 28 July 2003 08:40 To: freebsd-security@freebsd.org Subject: IPSec Hi All, I need to configure a VPN between a FreeBSD-4.8 box and a Linux (FreeS/WAN) box. In the Linux side, the network administrator installed FreeS/WAN with RSA authentication without IKE support. Does anybody knows if is possible to make my FreeBSD box connect a VPN with the Linux box? If so, could point me to a documentation about how to install IPSec with RSA authentication and how to make it work with FreeS/WAN? I have already read the pages on the sites www.freeswan.org and www.kame.org but I didn=B4t find it. Thank=B4s Ronan _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Jul 29 01:44:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B5B037B401 for ; Tue, 29 Jul 2003 01:44:13 -0700 (PDT) Received: from cicero2.cybercity.dk (cicero2.cybercity.dk [212.242.40.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF53243F85 for ; Tue, 29 Jul 2003 01:44:12 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from user3.cybercity.dk (fxp0.user3.ip.cybercity.dk [212.242.41.36]) by cicero2.cybercity.dk (Postfix) with ESMTP id 1A9C118F706 for ; Tue, 29 Jul 2003 10:44:11 +0200 (CEST) Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user3.cybercity.dk (Postfix) with SMTP id 6E07893C52 for ; Tue, 29 Jul 2003 10:44:10 +0200 (CEST) Date: Tue, 29 Jul 2003 10:53:38 +0200 From: Socketd To: security@freebsd.org Message-Id: <20030729105338.556c79b4.db@traceroute.dk> In-Reply-To: <198404259915.20030729111429@internethelp.ru> References: <016201c35537$b6a673b0$3aa8a8c0@melim.com.br> <198404259915.20030729111429@internethelp.ru> X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: IPSec X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2003 08:44:14 -0000 > I need to configure a VPN between a FreeBSD-4.8 box and > a Linux (FreeS/WAN) box. http://openvpn.sourceforge.net/ br socketd From owner-freebsd-security@FreeBSD.ORG Tue Jul 29 04:00:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F33C237B401; Tue, 29 Jul 2003 04:00:18 -0700 (PDT) Received: from meitner.wh.uni-dortmund.de (meitner.wh.uni-dortmund.de [129.217.129.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id 377ED43F93; Tue, 29 Jul 2003 04:00:18 -0700 (PDT) (envelope-from michaelnottebrock@gmx.net) Received: from lofi.dyndns.org (pc2-105.intern.meitner [10.3.12.105]) by meitner.wh.uni-dortmund.de (Postfix) with ESMTP id 59A661675CB; Tue, 29 Jul 2003 13:00:17 +0200 (CEST) Received: from kiste.my.domain (kiste.my.domain [192.168.8.4]) (authenticated bits=0) by lofi.dyndns.org (8.12.9/8.12.9) with ESMTP id h6TB0GQ8047746 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Tue, 29 Jul 2003 13:00:16 +0200 (CEST) (envelope-from michaelnottebrock@gmx.net) From: Michael Nottebrock To: kde@freebsd.org Date: Tue, 29 Jul 2003 13:00:07 +0200 User-Agent: KMail/1.5.2 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_/OlJ/Vskjoq4ItG"; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200307291300.15746.michaelnottebrock@gmx.net> X-Virus-Scanned: by amavisd-new cc: ports@freebsd.org cc: security@freebsd.org Subject: KDE 3.1.3 has been released. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2003 11:00:19 -0000 --Boundary-02=_/OlJ/Vskjoq4ItG Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline KDE 3.1.3 has been officially released. http://www.kde.org/announcements/announce-3.1.3.php Additonally, a Security Advisory for all KDE versions since 2.2.2 through=20 3.1.2 has been released: http://www.kde.org/info/security/advisory-20030729-1.txt Users are encouraged to upgrade to KDE 3.1.3. As usual, we provide a complete set of packages for i386 to save you some=20 compiling time at http://rabarber.fruitsalad.org/. We will also provide=20 contributed packages for alpha and gcc-3.3.1-5-CURRENT there shortly. We=20 believe, however, that the gcc-3.2.1-built packages for 5-CURRENT should wo= rk=20 fine on up to date 5-CURRENT systems as well. Thanks to all users, committers, pr-submitters & mailing list participants = and=20 of course KDE developers for making this release possible. Regards, =2D-=20 ,_, | Michael Nottebrock | lofi@freebsd.org (/^ ^\) | FreeBSD - The Power to Serve | http://www.freebsd.org \u/ | K Desktop Environment on FreeBSD | http://freebsd.kde.org --Boundary-02=_/OlJ/Vskjoq4ItG Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQA/JlO/Xhc68WspdLARAnv7AJsHBIrYbIYAQQY7EOEBuK3xLeGCxwCfamMq p9tUrK4JFwrcunotW0SyUcg= =GdX8 -----END PGP SIGNATURE----- --Boundary-02=_/OlJ/Vskjoq4ItG-- From owner-freebsd-security@FreeBSD.ORG Tue Jul 29 06:41:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA0E737B401 for ; Tue, 29 Jul 2003 06:41:46 -0700 (PDT) Received: from smtp.melim.com.br (smtp.melim.com.br [200.215.110.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1076F43FAF for ; Tue, 29 Jul 2003 06:41:46 -0700 (PDT) (envelope-from ronan@melim.com.br) Received: from fazendinha (ressacada.melim.com.br [200.180.44.4]) by smtp.melim.com.br (Postfix) with ESMTP id 86632F930 for ; Tue, 29 Jul 2003 10:41:36 -0300 (EST) Message-ID: <010b01c355d7$64db9e70$3aa8a8c0@melim.com.br> From: "Ronan Lucio" To: References: <016201c35537$b6a673b0$3aa8a8c0@melim.com.br><198404259915.20030729111429@internethelp.ru> <20030729105338.556c79b4.db@traceroute.dk> Date: Tue, 29 Jul 2003 10:43:29 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: IPSec X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2003 13:41:47 -0000 Hello to All, Thankīs in advance for the helps. Answering Nickolay comment: I had already searched in the list archives for the past issues and I didnīt find the answer I needed. Just to be registred in the list: As far as I found documentation about this issue. In the FreeS/WAN website there is very good link pointing to a documentation about interoperating different IPSec plataforms, including FreeBSD native IPSec to Linux / FreeS/WAN: http://www.hsc.fr/ressources/ipsec/ipsec2000/ My main problem is because in the Linux server, the network administrator didnīt compile FreeS/WAN with IKE support and as far as I understood FreeBSD only will communicate with Linux/FreeS/WAN using RSA authentication via IPSec + racoon and racoon is a IKE. To solve my trouble, I got to put a FreeBSD box in the other side to make a VPN FreeBSD to FreeBSD... better... :-) Thankīs Ronan From owner-freebsd-security@FreeBSD.ORG Tue Jul 29 16:45:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E24D37B401 for ; Tue, 29 Jul 2003 16:45:04 -0700 (PDT) Received: from cicero2.cybercity.dk (cicero2.cybercity.dk [212.242.40.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4BFC943F85 for ; Tue, 29 Jul 2003 16:45:03 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from user3.cybercity.dk (fxp0.user3.ip.cybercity.dk [212.242.41.36]) by cicero2.cybercity.dk (Postfix) with ESMTP id C469818F64C; Wed, 30 Jul 2003 01:45:00 +0200 (CEST) Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user3.cybercity.dk (Postfix) with SMTP id B36E193C11; Wed, 30 Jul 2003 01:44:59 +0200 (CEST) Date: Wed, 30 Jul 2003 01:54:31 +0200 From: Socketd To: , security@freebsd.org Message-Id: <20030730015431.4120c648.db@traceroute.dk> In-Reply-To: References: <20030727155239.3205a60b.db@traceroute.dk> X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2003 23:45:04 -0000 On Tue, 29 Jul 2003 16:53:17 -0500 wrote: > I might be willing to tinker with a lockdown type shell script to > handle that part of it. > > Another thing: the script/program/process/whatever could send an email > to root with a list of the files it found which had improper settings. > List the ones without the suid/sgid bit which were changed, and list > the ones with them which were changed. That would cover the > possibility of a port being installed and having him forget to add it > into the list - this would serve as a reminder to actually stick it > in. Yes, if LockDown finds suid/gid files not listed in the conf file, the admin should get a message/mail. > Also: perhaps those found with the bits set which were not listed as > being allowed could be moved into an obscure subdirectory, sort of the > way the PC virus protection programs do. Not only would it not have > the bits set, but it would be gone. Then the next time the process > runs, if it finds the program out there again, it might assume an > attack of some type and send warning emails stating that is the case. > > And: Since this is a security thing, perhaps we could have a separate > daemon which checks the conf file and program periodically, reporting > to root when/if either changes. If the conf file changes, then an > email might be okay. If the program changes, depending upon some > security setting, you might just send an email and you might shut down > the network interfaces or some such thing. > > Perhaps a makefile for the port could update the system so if you > installed a new version then this panic attack wouldn't happen. > > And, optionally, you could let the new unauthorized version sit for a > short while, then replace it with the last known good version and run > it. Thus if someone hacked the system and noticed the lockdown program > and made changes to the conf file, root would be notified of the conf > file change by the daemon. But then if they wanted to hack the > lockfile script itself, then root would get a message showing the > diffs and, say, 5 minutes later, the last known good version would be > put back and run - with, perhaps, the last known good version of the > conf file being used as well. That would lock out the hacker and he > wouldn't even know why or how - and would assume the sysadmin caught > him. Make sense? > > Just some ramblings that you might think about... Well again I have to say that LockDown was not meant to be an IDS. If you want a program to monitor suid files, tripwire is good. Anyway, having a daemons keeping an eye on the system is a good idea, but an attacker with root powers could just kill the process and install a rootkit. If you want a program to detect rootkits we have /usr/ports/security/chkrootkit. br socketd From owner-freebsd-security@FreeBSD.ORG Wed Jul 30 10:16:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BDF537B401 for ; Wed, 30 Jul 2003 10:16:59 -0700 (PDT) Received: from web10102.mail.yahoo.com (web10102.mail.yahoo.com [216.136.130.52]) by mx1.FreeBSD.org (Postfix) with SMTP id DD37243F93 for ; Wed, 30 Jul 2003 10:16:58 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20030730171658.65834.qmail@web10102.mail.yahoo.com> Received: from [68.5.49.41] by web10102.mail.yahoo.com via HTTP; Wed, 30 Jul 2003 10:16:58 PDT Date: Wed, 30 Jul 2003 10:16:58 -0700 (PDT) From: twig les To: Socketd , lee@critesclan.com, security@freebsd.org In-Reply-To: <20030730015431.4120c648.db@traceroute.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2003 17:16:59 -0000 I really like the sound of having a shell script to run and lock down systems right after install (or makeworld upgrade); I was considering hacking something together myself with my altogether mediocre scripting skills. Might I suggest that it have a conf file that sets up a script that we can simply scp to another box and run without having to have a conf file on that box? Also can we email you privately with "feature requests" like setting umask, etc.? If you run with this I hope you'll post the script somewhere and tell us so we can tinker with it until it makes it to the ports or whatever. It makes more sense than me just making a checklist and following it every time. --- Socketd wrote: > On Tue, 29 Jul 2003 16:53:17 -0500 > wrote: > > > I might be willing to tinker with a lockdown type shell > script to > > handle that part of it. > > > > Another thing: the script/program/process/whatever could > send an email > > to root with a list of the files it found which had improper > settings. > > List the ones without the suid/sgid bit which were changed, > and list > > the ones with them which were changed. That would cover the > > possibility of a port being installed and having him forget > to add it > > into the list - this would serve as a reminder to actually > stick it > > in. > > Yes, if LockDown finds suid/gid files not listed in the conf > file, the > admin should get a message/mail. > > > Also: perhaps those found with the bits set which were not > listed as > > being allowed could be moved into an obscure subdirectory, > sort of the > > way the PC virus protection programs do. Not only would it > not have > > the bits set, but it would be gone. Then the next time the > process > > runs, if it finds the program out there again, it might > assume an > > attack of some type and send warning emails stating that is > the case. > > > > And: Since this is a security thing, perhaps we could have a > separate > > daemon which checks the conf file and program periodically, > reporting > > to root when/if either changes. If the conf file changes, > then an > > email might be okay. If the program changes, depending upon > some > > security setting, you might just send an email and you might > shut down > > the network interfaces or some such thing. > > > > Perhaps a makefile for the port could update the system so > if you > > installed a new version then this panic attack wouldn't > happen. > > > > And, optionally, you could let the new unauthorized version > sit for a > > short while, then replace it with the last known good > version and run > > it. Thus if someone hacked the system and noticed the > lockdown program > > and made changes to the conf file, root would be notified of > the conf > > file change by the daemon. But then if they wanted to hack > the > > lockfile script itself, then root would get a message > showing the > > diffs and, say, 5 minutes later, the last known good version > would be > > put back and run - with, perhaps, the last known good > version of the > > conf file being used as well. That would lock out the hacker > and he > > wouldn't even know why or how - and would assume the > sysadmin caught > > him. Make sense? > > > > Just some ramblings that you might think about... > > Well again I have to say that LockDown was not meant to be an > IDS. If > you want a program to monitor suid files, tripwire is good. > Anyway, having a daemons keeping an eye on the system is a > good idea, > but an attacker with root powers could just kill the process > and install > a rootkit. If you want a program to detect rootkits we have > /usr/ports/security/chkrootkit. > > br > socketd > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ===== ----------------------------------------------------------- Emo is what happens when the glee club goes punk. ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From owner-freebsd-security@FreeBSD.ORG Wed Jul 30 10:21:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 397C537B401 for ; Wed, 30 Jul 2003 10:21:45 -0700 (PDT) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id 25FF043F85 for ; Wed, 30 Jul 2003 10:21:44 -0700 (PDT) (envelope-from mdg@secureworks.net) Received: (qmail 89227 invoked from network); 30 Jul 2003 17:19:05 -0000 Received: from unknown (HELO HOST-192-168-17-31.internal.secureworks.net) (209.101.212.253) by mail.secureworks.net with SMTP; 30 Jul 2003 17:19:05 -0000 Date: Wed, 30 Jul 2003 13:21:43 -0400 (EDT) From: Matthew George X-X-Sender: mdg@localhost To: security@freebsd.org Message-ID: <20030730130919.E40074@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: portmap, bind(), and NIS X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2003 17:21:45 -0000 Greetings I'm running an NIS server that I would very much *not* want to be accessible on some of its interfaces. portmap can be instructed to bind to specific addresses using the -h flag, but this seems to break ypbind. ypbind will attempt to find a server by issuing a broadcast rpc request to the local network. When portmap is not bound to INADDR_ANY, it will not reply to these requests. I'd rather not have to run ypset on clients where this condition exists with their local NIS servers, and I'd really like to not have portmap bound on certain interfaces. I could filter it of course, but I was hoping someone had another option that they were aware of ... TIA -- Matthew George SecureWorks Technical Operations From owner-freebsd-security@FreeBSD.ORG Wed Jul 30 10:46:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 322FD37B401 for ; Wed, 30 Jul 2003 10:46:11 -0700 (PDT) Received: from ptserver.progtech.net (pD9E8B6DB.dip.t-dialin.net [217.232.182.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0F9F43FAF for ; Wed, 30 Jul 2003 10:46:08 -0700 (PDT) (envelope-from rg@progtech.net) Received: from PROGTECH.net (isis.muc.progtech.intern [10.25.0.100]) by ptserver.progtech.net (8.12.9/8.12.3) with ESMTP id h6UHk7Xo090754; Wed, 30 Jul 2003 19:46:07 +0200 (CEST) (envelope-from rg@PROGTECH.net) Message-ID: <3F28044D.9000702@PROGTECH.net> Date: Wed, 30 Jul 2003 19:45:49 +0200 From: Rolf Grossmann User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4b) Gecko/20030522 X-Accept-Language: en,German [de] MIME-Version: 1.0 To: Matthew George References: <20030730130919.E40074@localhost> In-Reply-To: <20030730130919.E40074@localhost> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: portmap, bind(), and NIS X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2003 17:46:11 -0000 Hi, Matthew George wrote: >ypbind will attempt to find a server by issuing a broadcast rpc request to >the local network. When portmap is not bound to INADDR_ANY, it will not >reply to these requests. > What about the -S option to ypbind? That way it doesn't broadcast but use the given servers. It's what I was using when yp client and server were not on the same subnet. Rolf From owner-freebsd-security@FreeBSD.ORG Wed Jul 30 10:58:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30F7D37B401 for ; Wed, 30 Jul 2003 10:58:22 -0700 (PDT) Received: from cicero1.cybercity.dk (cicero1.cybercity.dk [212.242.40.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id D924143F85 for ; Wed, 30 Jul 2003 10:58:20 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from user1.cybercity.dk (fxp0.user1.ip.cybercity.dk [212.242.41.34]) by cicero1.cybercity.dk (Postfix) with ESMTP id 05A6FA44D7; Wed, 30 Jul 2003 19:58:14 +0200 (CEST) Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user1.cybercity.dk (Postfix) with SMTP id 407B868B32; Wed, 30 Jul 2003 19:58:02 +0200 (CEST) Date: Wed, 30 Jul 2003 20:07:35 +0200 From: Socketd To: , security@freebsd.org Message-Id: <20030730200735.37365833.db@traceroute.dk> In-Reply-To: References: <20030730015431.4120c648.db@traceroute.dk> X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2003 17:58:22 -0000 On Wed, 30 Jul 2003 10:39:56 -0500 wrote: >Without some significant hardening, which I don't have the time to > really do,=20 Ah, there we have to problem LockDown was designed to solve ;-) > If you have > some suggestions, I might take them into consideration and look into > producing something that might be "port quality." Right now it works > on FreeBSD, Linux, HPUX, AIX, and SunOS (all based upon config files). LockDown and an IDS solve two different problems. I would like to help you build an IDS, but as you said, when it become well known the cracker will know how to shut it down. I once designed (only designed) something I called CFC (central file control), maybe that could be extented to also include some IDS work. When you have an central IDS/network monitoring process/file control....very handy ;-) I found the design (1=BD years old) maybe LockDown or your IDS could use some of the ideas: ;--------------------------------------------------------------------- CFC, a secure alternative to NIS? What is this new system and why do we need it? =20 This is an attempt to make a secure and all around better alternative to NIS.=20 As not one line of code has been written yet, the design can of course be altered. Actually the reason you are reading this is because I want to hear your opinion of the design, so that the coded outcome will be as closed to flawless as we can get, design-wise that is.=20 I am just a 20 years old, self-taught guy and this is my first protocol design attempt, so I am not a pro at this, not even close, but I hope you like this design and agree with me regarding the need to replace NIS. How does it work? =20 I'll call this system CFC (Central File Control), but I think (if this design is approved), it will be used to distribute/manage user controlling files like /etc/passwd, /ect/ftpusers, /etc/ftpchroot, /etc/groups and stuff like that to clients of any unix type. But as the name implies, you can control any file you want. CFC must insure the files it control is at all time identical on all the clients, so you need to have a main CFC server to control the flow of information, as the clients can also change some files. So you need at least one CFC server, but I also recommend a backup server, just like a DNS has primary and secondary server. If none of the systems is online when the client boots, it will just use the files it already have and update (if there is an update) later. The server contacts the clients regarding update by sending a multicast, because using multicasts insures a minimum load to the LAN when informing the client that they need to be updated. Then the clients connect to get the updates, the connection between the client and server is of course encrypted To reduce networking load, CFC relies on time stamps to limit file transfers. Before we go into more details, let's look at the design of both the client and server side. =20 The client I have done my very best to make clients as easy to configure as possible, because you=20 will probably have more client than servers. So the only info a client needs is: The multicast address the client is a member of. The server(s) IP and port And the password for the server(s) Sadly I could not find a secure way for the client to find the server(s) by themselves. But you can always use hostnames instead of IP's. Maybe someone out there can see a solution to this small (or at least I think it is small) problem. With this information, the client will be able to update the files the servers offer for update and be able to make local changes global, even though this is not a server. The reason for the latter this is that, users should not be affected (directly) by your network running this service. So if changes happens to a users profile (name, password, shell), the client will then rapport this to the server and the server will update the whole network. I know this is dangerous, so I have inserted a rule; the clients can only change info about users whom are not root or a member of wheel. The files necessary for at client is: /etc/cfc/client.conf=20 /etc/cfc/timestamp /bin/cfcc /etc/cfc/client.conf is the file where you specify tings like multicast and CFC server(s). /etc/cfc/timestamp is not a file you need to configure, it is just there to store time stamps of shared-files. And /bin/cfcc is of course the CFC client daemon, When a client boots, the CFC client (also called CFCc) will connect to the server and send /etc/cfc/timestamp to check if any file need updating. If the timestamp file is empty we must assume that it is a new client, so it will get all the files the server offers for update. The client will also connect and search for updates if it gets a multicast from the server, telling all clients that an update is necessary. As mentioned a user can also locally (on the client) change his profile so that it affects all clients and servers where he has an account. The CFCc will every minute or when a multicast arrives, check to see if the local passwd file have been changed. If it has, the client will check if the change has happened to a normal user (not root or wheel member), if yes then it will inform the server and the server will update the LAN (the server will also check to see if the user is root or a member of wheel). Ok, enough about the client, let's take a look at the server. The server The server is of course more difficult to configure, but I have tried to keep it simple jet flexible. With this design you can have many CFC servers on one machine, you just have to use different multicast for different "netgroups" (as NIS calls them). Maybe it is better to have one multicast for all clients, but then different group names. Or multicasts for different subnets and then groups within the subnet multicast group, but then again, if you LAN is this big, you probably don't want CFC or NIS for security reasons and you would split the network and hire admins to the different subnets? I don't know jet, but you can help me decide.=20 At the server we have these files: /etc/cfc/*/cfcd.conf /etc/cfc/*/timestamp /etc/cfc/*/* (files to be updated) /bin/cfc /bin/cfcd The dir "*" is a dir you create, the admin can create all the dir's he wants in /etc/cfc/, but he have to include cfcd.conf in everyone then (the timestamp file will be created by the server). This makes is possible to keep different groups, e.g. you may have client who need the full password file and some where only wheel members are allowed to login. Let's see what is in /etc/cfc/*/cfcd.conf Multicast=3D"" Port_number=3D"" Client_Password=3D"" Other_servers=3D"" Server_password=3D"" To be quick about it, Multicast is the multicast the server should use, the same with the port number and password for the clients. With the other_servers=3D"" field you specify the other servers IP's and Ports. Server_password is there to insure that a cracker don't get to much power, by getting the client_password or rooting a client (if he tries to set up a CFC server).=20 Frankly there is no difference between servers. They will all accept clients and updates from client, but have the clients first try to update to and from the primary server. The clients will connect to the server, which is listed first in this configuration file. If there occurs a multicast from an IP that is not on the client's list it will not respond to it. Servers also use this which-server-is-listed-first method to determine its place in the server hierarchy. As and admin you can update you files from any server you want and clients can make and get updates to and from any server they want, but the servers will know who is in charge, so they will forward all updates to the first online server on the list and let it update the other servers and clients on the network. This way if a server goes down the clients and servers just use the next one in line, and when the primary server comes online again, it will update and take over as the primary server. A server will not send all it's shared files to another server, if it not listed in its conf file, so to know the server-password is not enough for a cracker to get control of CFC. The timestamp file has the same function as with the clients timestamp file. /bin/cfc should be executed when the admin wishes to send out a multicast. /bin/cfcd is the server daemon program. Now it is finally time to look at the files in /etc/cfc/*/, these are the files the server offer clients (of that multicast address) to download. The syntax is as follow: Local_file=3D"" Remote_file=3D"" This should not be too hard to understand, you tell the system where to get the file and where the client should put the file. So making a direct copy of, let's say, /etc/group is very easy: Local_file=3D"/etc/group" Remote_file=3D"/etc/group" The scheme will of course not work in all cases, so I have added some keywords: /ADD /DELETE /COMMENT /COMMENT is the most simple one, whatever come after /COMMENT is added to the file, which also mean the /COMMENT should always be the last keyword to add. With this little trick, you can define a whole file just by doing this: Local_file=3D"" Remote_file=3D"/etc/newfile" /COMMENT Hi, this is the context of the "newfile". Now a file (/etc/newfile) is created on all clients and the body of the file would just hold 'Hi, this is the context of the "newfile".' /ADD and /DELETE have different meaning after which file is in Local_file=3D"", so they only have affect in the following files: /etc/groups /etc/passwd /etc/ftpusers /etc/ftpchroot More? All those files have in common that they are "user control files". These functions was added to save the admin from creating and maintaining more than one (e.g) /etc/group file. With /ADD and /DELETE you can add and delete users and groups from a file. E.g. if you want to make a /etc/passwd file for a system that should only allow members of wheel, you just write: Local_file=3D"/etc/passwd" Remote_file=3D"/etc/passwd" /DELETE ALL /ADD ::wheel (Looking back and reading this, I see the syntax could be better ;-)) You can use one ':' to add or delete users and two ':'s to add or delete groups from the file. Anyway, I don't know what you think about this new idea; this is just me thinking out loud :-) #EOF br socketd From owner-freebsd-security@FreeBSD.ORG Wed Jul 30 11:04:29 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6877537B401 for ; Wed, 30 Jul 2003 11:04:29 -0700 (PDT) Received: from cicero2.cybercity.dk (cicero2.cybercity.dk [212.242.40.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 176CA43F93 for ; Wed, 30 Jul 2003 11:04:28 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from user5.cybercity.dk (fxp0.user5.ip.cybercity.dk [212.242.41.51]) by cicero2.cybercity.dk (Postfix) with ESMTP id C3FBD18F4CA; Wed, 30 Jul 2003 20:04:26 +0200 (CEST) Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user5.cybercity.dk (Postfix) with SMTP id 7F7CF56301; Wed, 30 Jul 2003 20:04:26 +0200 (CEST) Date: Wed, 30 Jul 2003 20:14:00 +0200 From: Socketd To: twig les , security@freebsd.org Message-Id: <20030730201400.1708d588.db@traceroute.dk> In-Reply-To: <20030730171658.65834.qmail@web10102.mail.yahoo.com> References: <20030730015431.4120c648.db@traceroute.dk> <20030730171658.65834.qmail@web10102.mail.yahoo.com> X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2003 18:04:29 -0000 On Wed, 30 Jul 2003 10:16:58 -0700 (PDT) twig les wrote: > I really like the sound of having a shell script to run and lock > down systems right after install (or makeworld upgrade); I was > considering hacking something together myself with my altogether > mediocre scripting skills. Might I suggest that it have a conf > file that sets up a script that we can simply scp to another box > and run without having to have a conf file on that box? Also > can we email you privately with "feature requests" like setting > umask, etc.? Well, LockDown only has two files (the executable and the conf file) and I'm gonna write it in C++, so making the C++ write a second program in a different language (which I don't master) is maybe a little overkill ;-) But feel free to write me. I will start working on LockDown in about 2-3 weeks (I think) and I'll post a notice here when I am "done". > If you run with this I hope you'll post the script somewhere and > tell us so we can tinker with it until it makes it to the ports > or whatever. It makes more sense than me just making a > checklist and following it every time. LockDown is just an automatic security checklist ;-) br socketd From owner-freebsd-security@FreeBSD.ORG Wed Jul 30 11:18:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A62437B401 for ; Wed, 30 Jul 2003 11:18:23 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B9ED43F3F for ; Wed, 30 Jul 2003 11:18:22 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 88DCB1524D; Wed, 30 Jul 2003 11:18:22 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 84F0B15247 for ; Wed, 30 Jul 2003 11:18:22 -0700 (PDT) Date: Wed, 30 Jul 2003 11:18:22 -0700 (PDT) From: Mike Hoskins To: security@freebsd.org In-Reply-To: <20030730201400.1708d588.db@traceroute.dk> Message-ID: <20030730111512.S16789@fubar.adept.org> References: <20030730015431.4120c648.db@traceroute.dk> <20030730201400.1708d588.db@traceroute.dk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2003 18:18:23 -0000 On Wed, 30 Jul 2003, Socketd wrote: > Well, LockDown only has two files (the executable and the conf file) and > I'm gonna write it in C++, so making the C++ write a second program in a > different language (which I don't master) is maybe a little overkill ;-) Just as an aside, this sounds more and more like BastilleBSD. ;) If that's the direction you're headed, you may want to play with Bastille on a Linux bax (or vmware session) and see if you get any more ideas... Something that essentially automates the afore mentioned checklist would be very similar to Bastille already. (But for BSD, which I'm sure many would find useful.) Good luck, -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist! From owner-freebsd-security@FreeBSD.ORG Wed Jul 30 11:36:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4563237B401 for ; Wed, 30 Jul 2003 11:36:14 -0700 (PDT) Received: from cicero0.cybercity.dk (cicero0.cybercity.dk [212.242.40.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96F4B43F93 for ; Wed, 30 Jul 2003 11:36:13 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from user1.cybercity.dk (fxp0.user1.ip.cybercity.dk [212.242.41.34]) by cicero0.cybercity.dk (Postfix) with ESMTP id 2602B28ED3 for ; Wed, 30 Jul 2003 20:36:12 +0200 (CEST) Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user1.cybercity.dk (Postfix) with SMTP id 6A93868B4A for ; Wed, 30 Jul 2003 20:36:11 +0200 (CEST) Date: Wed, 30 Jul 2003 20:45:45 +0200 From: Socketd To: freebsd-security@freebsd.org Message-Id: <20030730204545.0f09adc8.db@traceroute.dk> In-Reply-To: <20030730111512.S16789@fubar.adept.org> References: <20030730015431.4120c648.db@traceroute.dk> <20030730201400.1708d588.db@traceroute.dk> <20030730111512.S16789@fubar.adept.org> X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: suid bit files + securing FreeBSD (new program: LockDown) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2003 18:36:14 -0000 On Wed, 30 Jul 2003 11:18:22 -0700 (PDT) Mike Hoskins wrote: > Just as an aside, this sounds more and more like BastilleBSD. ;) If > that's the direction you're headed, you may want to play with Bastille > on a Linux bax (or vmware session) and see if you get any more > ideas... Something that essentially automates the afore mentioned > checklist would be very similar to Bastille already. (But for BSD, > which I'm sure many would find useful.) > > Good luck, Thanks, I'll look into that :-) br socketd From owner-freebsd-security@FreeBSD.ORG Wed Jul 30 15:57:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 120AF37B404 for ; Wed, 30 Jul 2003 15:57:24 -0700 (PDT) Received: from pimout1-ext.prodigy.net (pimout1-ext.prodigy.net [207.115.63.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id EAD0D43F85 for ; Wed, 30 Jul 2003 15:57:22 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from adsl-67-121-60-9.dsl.anhm01.pacbell.net (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9])h6UMvLUN061368 for ; Wed, 30 Jul 2003 18:57:21 -0400 From: Michael Collette To: FreeBSD Security Date: Wed, 30 Jul 2003 15:53:40 -0700 User-Agent: KMail/1.5.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200307301553.40385.metrol@metrol.net> Subject: Kerberos to file server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2003 22:57:24 -0000 Howdy, I may be approaching this problem entirely wrong, or not. Was hoping for a= =20 little guidance one way or the other. I've got this AS/400 with gobs of unused file storage on it that I want to= =20 share across as a file server to a FreeBSD box. The AS/400 side of things= =20 supports NFS and kinda pretends to be a Unix like machine in this role. Users will be booting from diskless clients hosted from the FreeBSD box. T= he=20 base directories like /usr and such will come from there. I want to have=20 user alterable stuff like /home and shared directories to be hosted over on= =20 the AS/400, as it's got all the space. My primary problem with this is insuring one login gets you access to both = the=20 =46reeBSD box as well as the shares on the AS/400. I don't want to have us= ers=20 log into the FreeBSD box then need to again do a login again to the AS/400. =46rom what I've read thus far it "seems" that configuring Kerberos between= the=20 two is the way to go about this. The handbook talks about setting up a=20 remote loging kind of thing, but nothing about how to handle NFS permission= s. =20 I also don't quite get how to automate the process of authenticating and=20 mounting upon initial login. Question 1: Am I heading down the right road, or are there other options I= =20 should be considering first? Question 2: If I'm on the correct path where should I look for some kind of= a=20 tutorial for the mechanics of getting this to happen? Thanks, =2D-=20 "In theory, there is no difference between theory and practice. In practice, there is." =2D Yogi Berra From owner-freebsd-security@FreeBSD.ORG Wed Jul 30 18:27:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC99237B401 for ; Wed, 30 Jul 2003 18:27:48 -0700 (PDT) Received: from gigatrex.com (saraswati.gigatrex.com [64.5.48.159]) by mx1.FreeBSD.org (Postfix) with SMTP id E115F44008 for ; Wed, 30 Jul 2003 18:27:45 -0700 (PDT) (envelope-from piechota@argolis.org) Received: (qmail 30524 invoked from network); 31 Jul 2003 01:26:17 -0000 Received: from unknown (HELO cithaeron.argolis.org) (151.200.35.252) by saraswati.gigatrex.com with SMTP; 31 Jul 2003 01:26:17 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.9/8.12.9) with ESMTP id h6V1TBDR049158; Wed, 30 Jul 2003 21:29:11 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)h6V1TAD2049155; Wed, 30 Jul 2003 21:29:10 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Wed, 30 Jul 2003 21:29:10 -0400 (EDT) From: Matt Piechota To: Michael Collette In-Reply-To: <200307301553.40385.metrol@metrol.net> Message-ID: <20030730212059.X17489@cithaeron.argolis.org> References: <200307301553.40385.metrol@metrol.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: FreeBSD Security Subject: Re: Kerberos to file server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 01:27:49 -0000 On Wed, 30 Jul 2003, Michael Collette wrote: > From what I've read thus far it "seems" that configuring Kerberos > between the two is the way to go about this. The handbook talks about > setting up a remote loging kind of thing, but nothing about how to > handle NFS permissions. I also don't quite get how to automate the > process of authenticating and mounting upon initial login. > > Question 1: Am I heading down the right road, or are there other options > I should be considering first? What you're doing should work just fine. I can't see any difference between a netbooted client and a regular PC client. > Question 2: If I'm on the correct path where should I look for some kind > of a tutorial for the mechanics of getting this to happen? NFS doesn't really /do/ permissions, so the easiest (and probably least safe) is to export as400:/home to all the clients, and make it root-writable to the FreeBSD master server. All the clients would individually mount the NFS share from as400 on boot, and since the FreeBSD box has root-write, you can manage the files from it. The as400 wouldn't even need to know about the users at all (unless as400's nfs has rules about uids having to match something in its own password file, which isn't standard). A safer way would be to use AFS, since it does proper authentication, but I have no idea if as400 would make a nice AFS server. And this isn't strictly speaking a freebsd-security@ question, for that matter. Reply to me directly if you have questions. -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Thu Jul 31 11:35:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8972A37B414 for ; Thu, 31 Jul 2003 11:35:52 -0700 (PDT) Received: from morpheus.mind.net (morpheus.mind.net [69.9.130.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE74B43F85 for ; Thu, 31 Jul 2003 11:35:51 -0700 (PDT) (envelope-from jfox@morpheus.mind.net) Received: from morpheus.mind.net (localhost [127.0.0.1]) by morpheus.mind.net (8.12.6/8.12.6) with ESMTP id h6VIZs7m085618 for ; Thu, 31 Jul 2003 11:35:54 -0700 (PDT) (envelope-from jfox@morpheus.mind.net) Received: (from jfox@localhost) by morpheus.mind.net (8.12.6/8.12.6/Submit) id h6VIZrxd085617 for freebsd-security@freebsd.org; Thu, 31 Jul 2003 11:35:53 -0700 (PDT) Date: Thu, 31 Jul 2003 11:35:53 -0700 From: John Fox To: freebsd-security@freebsd.org Message-ID: <20030731183553.GA85469@mind.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i X-Quip: Fly the white flag of war! Subject: Wu-ftpd FTP server contains remotely exploitable off-by-one bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 18:35:52 -0000 Hello, I see in BugTraq that there's yet another problem with Wu-ftpd, but I see no mention of it in the freebsd-security mailing list archives...I have searched the indexes from all of June and July. Wu is pretty widely used, so I'm surprised that nobody seems to have mentioned this problem in this forum. The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no reason to assume that FreeBSD machines aren't vulnerable, too. Which is why I am confused as to the lack of discussion of this matter. Can anyone shed some light on this? Thank you, John -- +---------------------------------------------------------------------------+ | John Fox | System Administrator | InfoStructure | +---------------------------------------------------------------------------+ | "The people and friends that we have lost, the dreams that have faded... | | never forget them." -- Yuna, Final Fantasy X | +---------------------------------------------------------------------------+ From owner-freebsd-security@FreeBSD.ORG Thu Jul 31 11:40:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A9DD37B401 for ; Thu, 31 Jul 2003 11:40:52 -0700 (PDT) Received: from grex.cyberspace.org (grex.cyberspace.org [216.93.104.34]) by mx1.FreeBSD.org (Postfix) with SMTP id 7F82843FA3 for ; Thu, 31 Jul 2003 11:40:51 -0700 (PDT) (envelope-from polytarp@grex.cyberspace.org) Received: from localhost (polytarp@localhost) by grex.cyberspace.org (8.6.13/8.6.12) with SMTP id OAA05589; Thu, 31 Jul 2003 14:40:55 -0400 Date: Thu, 31 Jul 2003 14:40:54 -0400 (EDT) From: To: In-Reply-To: <20030731183553.GA85469@mind.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 18:40:52 -0000 On Thu, 31 Jul 2003 jjf@mind.net wrote: > Hello, > > I see in BugTraq that there's yet another problem with Wu-ftpd, but I see > no mention of it in the freebsd-security mailing list archives...I have > searched the indexes from all of June and July. > > Wu is pretty widely used, so I'm surprised that nobody seems to have > mentioned this problem in this forum. > > The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no > reason to assume that FreeBSD machines aren't vulnerable, too. Which is > why I am confused as to the lack of discussion of this matter. > > Can anyone shed some light on this? > > Thank you, > > John > -- > +---------------------------------------------------------------------------+ > | John Fox | System Administrator | InfoStructure | > +---------------------------------------------------------------------------+ > | "The people and friends that we have lost, the dreams that have faded... | > | never forget them." -- Yuna, Final Fantasy X | > +---------------------------------------------------------------------------+ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > Buffer overflows which work on Linux do not work on FreeBSD. From owner-freebsd-security@FreeBSD.ORG Thu Jul 31 11:52:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 248EF37B405 for ; Thu, 31 Jul 2003 11:52:05 -0700 (PDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id AABF143F75 for ; Thu, 31 Jul 2003 11:52:02 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h6VIpNRa070410; Thu, 31 Jul 2003 14:51:23 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030731144633.05832008@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 31 Jul 2003 14:52:56 -0400 To: From: Mike Tancsa In-Reply-To: References: <20030731183553.GA85469@mind.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) cc: freebsd-security@freebsd.org Subject: Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 18:52:05 -0000 At 02:40 PM 31/07/2003 -0400, polytarp@cyberspace.org wrote: >Buffer overflows which work on Linux do not work on FreeBSD. You need to qualify that statement. Yes, there are some that will not be relevant and the exact same exploit code will not work. But "Buffer overflows which work on Linux do not work on FreeBSD" is dangerously misleading.... In the case of wu-ftpd there have been several issues in the past that affected both FreeBSD and Linux. Same bug, different exploit code, both vulnerable. That being said, I havent had a chance to review this one so I dont know. ---Mike From owner-freebsd-security@FreeBSD.ORG Thu Jul 31 12:20:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DC9A37B401 for ; Thu, 31 Jul 2003 12:20:25 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id D200943FAF for ; Thu, 31 Jul 2003 12:20:24 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h6VJJOai058048; Thu, 31 Jul 2003 15:19:25 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)h6VJJO1g058045; Thu, 31 Jul 2003 15:19:24 -0400 (EDT) Date: Thu, 31 Jul 2003 15:19:24 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: John Fox In-Reply-To: <20030731183553.GA85469@mind.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 19:20:25 -0000 On Thu, 31 Jul 2003, John Fox wrote: > I see in BugTraq that there's yet another problem with Wu-ftpd, but I > see no mention of it in the freebsd-security mailing list archives...I > have searched the indexes from all of June and July. > > Wu is pretty widely used, so I'm surprised that nobody seems to have > mentioned this problem in this forum. > > The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no > reason to assume that FreeBSD machines aren't vulnerable, too. Which is > why I am confused as to the lack of discussion of this matter. > > Can anyone shed some light on this? I can't speak to specifically why there hasn't been an advisory of some sort for this specific vulnerability, but I can say that the primary reason why wu-ftpd issues don't get much discussion on FreeBSD lists compared to Linux lists is that the default FTP server in FreeBSD isn't wu-ftpd, unlike many Linux distributions. It's considered a third party software package, which means it will generally be covered in ports security notices, as opposed to FreeBSD security advisories. In the past, a number of vulnerabilities in various FTP packages have been associated with bugs in library code, not in the FTP daemon itself -- for example, at least one or two cases were associates with the libc glob code. This can also affect whether a vulnerability applies on all OS's, or just a few. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories From owner-freebsd-security@FreeBSD.ORG Thu Jul 31 14:31:42 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A72B537B401 for ; Thu, 31 Jul 2003 14:31:42 -0700 (PDT) Received: from grex.cyberspace.org (grex.cyberspace.org [216.93.104.34]) by mx1.FreeBSD.org (Postfix) with SMTP id B7E6543FBD for ; Thu, 31 Jul 2003 14:31:41 -0700 (PDT) (envelope-from polytarp@grex.cyberspace.org) Received: from localhost (polytarp@localhost) by grex.cyberspace.org (8.6.13/8.6.12) with SMTP id RAA26377; Thu, 31 Jul 2003 17:31:47 -0400 Date: Thu, 31 Jul 2003 17:31:46 -0400 (EDT) From: To: In-Reply-To: <5.2.0.9.0.20030731144633.05832008@209.112.4.2> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 21:31:43 -0000 On Thu, 31 Jul 2003 mike@sentex.net wrote: > At 02:40 PM 31/07/2003 -0400, polytarp@cyberspace.org wrote: > > > >Buffer overflows which work on Linux do not work on FreeBSD. > > > You need to qualify that statement. Yes, there are some that will not be > relevant and the exact same exploit code will not work. But "Buffer > overflows which work on Linux do not work on FreeBSD" is dangerously > misleading.... In the case of wu-ftpd there have been several issues in the > past that affected both FreeBSD and Linux. Same bug, different exploit > code, both vulnerable. That being said, I havent had a chance to review > this one so I dont know. > No, you're wrong. Even a different COMPILER -- let alone a different OPERATING SYSTEM -- can make buffer overflows not work. From owner-freebsd-security@FreeBSD.ORG Thu Jul 31 14:37:35 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDF3A37B401 for ; Thu, 31 Jul 2003 14:37:35 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-63-207-60-135.dsl.lsan03.pacbell.net [63.207.60.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1559643F85 for ; Thu, 31 Jul 2003 14:37:35 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 010A966BE5; Thu, 31 Jul 2003 14:37:34 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id BCE7166C; Thu, 31 Jul 2003 14:37:34 -0700 (PDT) Date: Thu, 31 Jul 2003 14:37:34 -0700 From: Kris Kennaway To: polytarp@cyberspace.org Message-ID: <20030731213734.GA15002@rot13.obsecurity.org> References: <5.2.0.9.0.20030731144633.05832008@209.112.4.2> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 21:37:36 -0000 --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 31, 2003 at 05:31:46PM -0400, polytarp@cyberspace.org wrote: > On Thu, 31 Jul 2003 mike@sentex.net wrote: >=20 > > At 02:40 PM 31/07/2003 -0400, polytarp@cyberspace.org wrote: > >=20 > >=20 > > >Buffer overflows which work on Linux do not work on FreeBSD. > >=20 > >=20 > > You need to qualify that statement. Yes, there are some that will not = be=20 > > relevant and the exact same exploit code will not work. But "Buffer= =20 > > overflows which work on Linux do not work on FreeBSD" is dangerously=20 > > misleading.... In the case of wu-ftpd there have been several issues in= the=20 > > past that affected both FreeBSD and Linux. Same bug, different exploit= =20 > > code, both vulnerable. That being said, I havent had a chance to revie= w=20 > > this one so I dont know. > >=20 >=20 > No, you're wrong. Even a different COMPILER -- let alone a different > OPERATING SYSTEM -- can make buffer overflows not work. 1) Can !=3D will. In most cases these vulnerabilities are fairly OS-neutral. 2) It is true that a given exploit for the overflowable buffer will not usually work on a different OS, but that doesn't mean that one cannot be easily developed to exploit that OS. Kris --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/KYweWry0BWjoQKURAh6IAJ9fu2FrWWVGFTt5YCSt2Q+nSHU6XQCg79Qt J/T9iQ96Bl3vhy6TJWH4TJ0= =51TZ -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- From owner-freebsd-security@FreeBSD.ORG Thu Jul 31 14:41:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78AD537B401 for ; Thu, 31 Jul 2003 14:41:55 -0700 (PDT) Received: from mkultra.w88trigger.com (ca.216.202.162.22.gtecablemodem.com [216.202.162.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id A93D543FAF for ; Thu, 31 Jul 2003 14:41:47 -0700 (PDT) (envelope-from fbsd@w88trigger.com) Received: from calculon.w88trigger.com (calculon.w88trigger.com [192.168.0.4]) by mkultra.w88trigger.com (Postfix) with ESMTP id 4856020F51; Thu, 31 Jul 2003 14:41:47 -0700 (PDT) From: fbsd@w88trigger.com To: , Date: Thu, 31 Jul 2003 14:41:46 -0700 User-Agent: KMail/1.5.3 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200307311441.46810.fbsd@w88trigger.com> cc: freebsd-security@freebsd.org Subject: Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 21:41:55 -0000 Did you read Mike's email!? Sure, a different compiler and OS can make buffer overflows not work, but that does not mean the buffer overflow does not exist on a different system. The buffer overflow MAY still exist and MAY still be exploitable using different exploit code (as Mike stated in his email). On Thursday 31 July 2003 14:31, polytarp@cyberspace.org wrote: > On Thu, 31 Jul 2003 mike@sentex.net wrote: > > At 02:40 PM 31/07/2003 -0400, polytarp@cyberspace.org wrote: > > >Buffer overflows which work on Linux do not work on > > > FreeBSD. > > > > You need to qualify that statement. Yes, there are some > > that will not be relevant and the exact same exploit code > > will not work. But "Buffer overflows which work on Linux > > do not work on FreeBSD" is dangerously misleading.... In the > > case of wu-ftpd there have been several issues in the past > > that affected both FreeBSD and Linux. Same bug, different > > exploit code, both vulnerable. That being said, I havent > > had a chance to review this one so I dont know. > > No, you're wrong. Even a different COMPILER -- let alone a > different OPERATING SYSTEM -- can make buffer overflows not > work. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Jul 31 15:41:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDB7437B47A for ; Thu, 31 Jul 2003 15:41:10 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CF5543FB1 for ; Thu, 31 Jul 2003 15:40:33 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 3C46554840; Thu, 31 Jul 2003 17:40:17 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id C2CA16D455; Thu, 31 Jul 2003 17:40:16 -0500 (CDT) Date: Thu, 31 Jul 2003 17:40:16 -0500 From: "Jacques A. Vidrine" To: John Fox Message-ID: <20030731224016.GA91355@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , John Fox , freebsd-security@freebsd.org References: <20030731183553.GA85469@mind.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030731183553.GA85469@mind.net> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 22:41:18 -0000 On Thu, Jul 31, 2003 at 11:35:53AM -0700, John Fox wrote: > Hello, > > I see in BugTraq that there's yet another problem with Wu-ftpd, but I see > no mention of it in the freebsd-security mailing list archives...I have > searched the indexes from all of June and July. > > Wu is pretty widely used, so I'm surprised that nobody seems to have > mentioned this problem in this forum. > > The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no > reason to assume that FreeBSD machines aren't vulnerable, too. Which is > why I am confused as to the lack of discussion of this matter. > > Can anyone shed some light on this? Hmm. The issue was scheduled to be made public at 12:00 pm EDT today. Daniel Harris committed the fix to the FreeBSD Ports Collection around 12:07 pm EDT today. This issue will be rolled into the next FreeBSD Security Notice (probably Monday --- serious problems like this tend to `trigger' a notice). If you want to bitch at someone, bitch at the wu-ftpd.org guys for ignoring the reported bug for two months. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Thu Jul 31 16:28:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF1BA37B401 for ; Thu, 31 Jul 2003 16:28:49 -0700 (PDT) Received: from grex.cyberspace.org (grex.cyberspace.org [216.93.104.34]) by mx1.FreeBSD.org (Postfix) with SMTP id 253A243F75 for ; Thu, 31 Jul 2003 16:28:48 -0700 (PDT) (envelope-from polytarp@grex.cyberspace.org) Received: from localhost (polytarp@localhost) by grex.cyberspace.org (8.6.13/8.6.12) with SMTP id TAA09353; Thu, 31 Jul 2003 19:28:53 -0400 Date: Thu, 31 Jul 2003 19:28:52 -0400 (EDT) From: To: In-Reply-To: <200307311441.46810.fbsd@w88trigger.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 23:28:50 -0000 Yes, I read Mike's E-mail. Did you read mine? I stated quite clearly, and I quote: can make buffer overflows. Mike and I are in complete agreement. On Thu, 31 Jul 2003 fbsd@w88trigger.com wrote: > Did you read Mike's email!? Sure, a different compiler and OS > can make buffer overflows not work, but that does not mean the > buffer overflow does not exist on a different system. The > buffer overflow MAY still exist and MAY still be exploitable > using different exploit code (as Mike stated in his email). > > > On Thursday 31 July 2003 14:31, polytarp@cyberspace.org wrote: > > On Thu, 31 Jul 2003 mike@sentex.net wrote: > > > At 02:40 PM 31/07/2003 -0400, polytarp@cyberspace.org wrote: > > > >Buffer overflows which work on Linux do not work on > > > > FreeBSD. > > > > > > You need to qualify that statement. Yes, there are some > > > that will not be relevant and the exact same exploit code > > > will not work. But "Buffer overflows which work on Linux > > > do not work on FreeBSD" is dangerously misleading.... In the > > > case of wu-ftpd there have been several issues in the past > > > that affected both FreeBSD and Linux. Same bug, different > > > exploit code, both vulnerable. That being said, I havent > > > had a chance to review this one so I dont know. > > > > No, you're wrong. Even a different COMPILER -- let alone a > > different OPERATING SYSTEM -- can make buffer overflows not > > work. > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Mon Jul 28 14:14:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99D6637B401 for ; Mon, 28 Jul 2003 14:14:21 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB13243F3F for ; Mon, 28 Jul 2003 14:14:20 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: from khavrinen.lcs.mit.edu (localhost.nic.fr [IPv6:::1] (may be forged)) by khavrinen.lcs.mit.edu (8.12.9/8.12.9) with ESMTP id h6SLEJ96025104 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK CN=khavrinen.lcs.mit.edu issuer=SSL+20Client+20CA); Mon, 28 Jul 2003 17:14:20 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.9/8.12.9/Submit) id h6SLEHIj025101; Mon, 28 Jul 2003 17:14:17 -0400 (EDT) (envelope-from wollman) Date: Mon, 28 Jul 2003 17:14:17 -0400 (EDT) From: Garrett Wollman Message-Id: <200307282114.h6SLEHIj025101@khavrinen.lcs.mit.edu> To: "Ronan Lucio" In-Reply-To: <012501c35175$ce366280$3aa8a8c0@melim.com.br> References: <012501c35175$ce366280$3aa8a8c0@melim.com.br> X-Spam-Score: -19.8 () IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang) X-Mailman-Approved-At: Fri, 01 Aug 2003 03:06:02 -0700 cc: security@freebsd.org Subject: IPSec X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2003 21:14:22 -0000 < said: > Does anybody knows if is possible to make my FreeBSD box > connect a VPN with the Linux box? > If so, could point me to a documentation about how to install > IPSec with RSA authentication and how to make it work with > FreeS/WAN? A co-worker of mine wrote this document about interoperation between the two implementations: He notes that Linux 2.6 uses the same IKE daemon as FreeBSD. -GAWollman From owner-freebsd-security@FreeBSD.ORG Fri Aug 1 11:25:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 031FE37B401 for ; Fri, 1 Aug 2003 11:25:41 -0700 (PDT) Received: from pumaman.dyndns.org (isi-dsl-126-137.isis.de [213.128.126.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5171E43FD7 for ; Fri, 1 Aug 2003 11:25:35 -0700 (PDT) (envelope-from bjoern.engels@mail.isis.de) Received: from sigma7.bnet ([192.168.103.222]) by pumaman.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 19ieai-000JvD-00 for freebsd-security@freebsd.org; Fri, 01 Aug 2003 20:25:24 +0200 From: Bjoern Engels To: freebsd-security@freebsd.org In-Reply-To: References: Content-Type: text/plain Organization: Message-Id: <1059762323.2635.7.camel@sigma7.bnet> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2 (1.2.2-5) Date: 01 Aug 2003 20:25:23 +0200 Content-Transfer-Encoding: 7bit Subject: Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2003 18:25:41 -0000 On Thu, 2003-07-31 at 21:19, Robert Watson wrote: > wu-ftpd, unlike many Linux distributions. It's considered a third party > software package, which means it will generally be covered in ports > security notices, as opposed to FreeBSD security advisories. In the past, I haven't seen a single Ports advisory during the last months, what's happened to them? -- Bjoern Engels You know you're doomed when you have to whois your domain registrar ID to find out your own phone number From owner-freebsd-security@FreeBSD.ORG Fri Aug 1 14:37:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4713637B401 for ; Fri, 1 Aug 2003 14:37:14 -0700 (PDT) Received: from smtp.melim.com.br (aririba.melim.com.br [200.215.110.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A02B43F85 for ; Fri, 1 Aug 2003 14:37:13 -0700 (PDT) (envelope-from ronan@melim.com.br) Received: from fazendinha (ressacada.melim.com.br [200.180.44.4]) by smtp.melim.com.br (Postfix) with ESMTP id 04B2AFDD0 for ; Fri, 1 Aug 2003 18:37:09 -0300 (EST) Message-ID: <00a001c35875$5432f730$3aa8a8c0@melim.com.br> From: "Ronan Lucio" To: Date: Fri, 1 Aug 2003 18:39:04 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: FTP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2003 21:37:14 -0000 Hello, I usualy permit TCP traffic on ports from 1025 to 65535 of the servers that I need to permit FTP access. Is there a more secure way to permit FTP access instead of to permit such ports? I have a FreeBSD gateway/router on a building with these ports open and Iīm having some problems with users using softwares like Kasaa and eMule. Any help would be appreciated. Thankīs Ronan From owner-freebsd-security@FreeBSD.ORG Sat Aug 2 00:12:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D79E937B401 for ; Sat, 2 Aug 2003 00:12:12 -0700 (PDT) Received: from smtp.web.de (smtp02.web.de [217.72.192.151]) by mx1.FreeBSD.org (Postfix) with ESMTP id 89ADE43FBF for ; Sat, 2 Aug 2003 00:12:11 -0700 (PDT) (envelope-from Jan.Lentfer@web.de) Received: from [213.157.24.189] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE 4.99 #433) id 19iqYk-0002IC-00; Sat, 02 Aug 2003 09:12:10 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id E91E8A37; Sat, 2 Aug 2003 09:12:08 +0200 (CEST) Received: by floundjan.homeip.net (Postfix on FreeBSD 4.5, from userid 80) id 4F4FCA02; Sat, 2 Aug 2003 07:12:02 +0000 (GMT) Received: from freebsd-server.lan (freebsd-server.lan [192.168.0.1]) by www-mail.lan (IMP) with HTTP for ; Sat, 2 Aug 2003 09:12:01 +0200 Message-ID: <1059808321.3f2b6441bbaa5@www-mail.lan> Date: Sat, 2 Aug 2003 09:12:01 +0200 From: Jan Lentfer To: Ronan Lucio References: <00a001c35875$5432f730$3aa8a8c0@melim.com.br> In-Reply-To: <00a001c35875$5432f730$3aa8a8c0@melim.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 User-Agent: Internet Messaging Program (IMP) 3.2.1 / FreeBSD-4.8 X-Originating-IP: 192.168.0.1 X-Virus-Scanned: by AMaViS perl-10 Content-Transfer-Encoding: quoted-printable Sender: Jan.Lentfer@web.de cc: security@freebsd.org Subject: Re: FTP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Aug 2003 07:12:13 -0000 Zitat von Ronan Lucio : > I usualy permit TCP traffic on ports from 1025 to 65535 of the servers > that I need to permit FTP access. >=20 > Is there a more secure way to permit FTP access instead of to > permit such ports? What ftp server are you using? If I remember right ProFTPd allows you to = define what passive ports to use, eg. 50000-50100 or something like that. Then y= ou only open up that ports you defined in proftpd.conf in the firewall. Or did you mean outgoing ftp traffic? hth, Jan From owner-freebsd-security@FreeBSD.ORG Sat Aug 2 16:44:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 605E437B401 for ; Sat, 2 Aug 2003 16:44:13 -0700 (PDT) Received: from spf13.us4.outblaze.com (205-158-62-67.outblaze.com [205.158.62.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id D12AB43FA3 for ; Sat, 2 Aug 2003 16:44:12 -0700 (PDT) (envelope-from vpb@linuxmail.org) Received: from 205-158-62-68.outblaze.com (205-158-62-68.outblaze.com [205.158.62.68]) by spf13.us4.outblaze.com (Postfix) with QMQP id 4889B18017C7 for ; Sat, 2 Aug 2003 23:44:12 +0000 (GMT) Received: (qmail 74327 invoked from network); 2 Aug 2003 23:44:10 -0000 Received: from unknown (HELO ws5-7.us4.outblaze.com) (205.158.62.156) by 205-158-62-153.outblaze.com with SMTP; 2 Aug 2003 23:44:10 -0000 Received: (qmail 4493 invoked by uid 1001); 2 Aug 2003 23:46:19 -0000 Message-ID: <20030802234619.4492.qmail@linuxmail.org> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit MIME-Version: 1.0 X-Mailer: MIME-tools 5.41 (Entity 5.404) Received: from [213.149.98.18] by ws5-7.us4.outblaze.com with http for vpb@linuxmail.org; Sun, 03 Aug 2003 07:46:19 +0800 From: "...VpB ..." To: freebsd-security@freebsd.org Date: Sun, 03 Aug 2003 07:46:19 +0800 X-Originating-Ip: 213.149.98.18 X-Originating-Server: ws5-7.us4.outblaze.com Subject: Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Aug 2003 23:44:13 -0000 I have heard that somebody has compile a new kernel and he made Virtual User ....and if somebody want to use exploit he will connect to the virtual! can you tell me how to compile a kernel ??? I just have one but I want one more kernel to create that virtual user ! -- ______________________________________________ http://www.linuxmail.org/ Now with e-mail forwarding for only US$5.95/yr Powered by Outblaze From owner-freebsd-security@FreeBSD.ORG Sat Aug 2 16:50:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D64037B405 for ; Sat, 2 Aug 2003 16:50:41 -0700 (PDT) Received: from smtp.uninet.ee (smtp.uninet.ee [194.204.0.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F1E343FEC for ; Sat, 2 Aug 2003 16:50:37 -0700 (PDT) (envelope-from tarmo@momentor.ee) Received: from linux.local (wannabe.mentor.ee [194.204.62.142]) by smtp.uninet.ee (Postfix) with ESMTP id 9088A613C9; Sun, 3 Aug 2003 02:49:25 +0300 (EEST) From: Tarmo Renter To: "...VpB ..." , freebsd-security@freebsd.org Date: Sun, 3 Aug 2003 02:49:23 +0300 User-Agent: KMail/1.5.1 References: <20030802234619.4492.qmail@linuxmail.org> In-Reply-To: <20030802234619.4492.qmail@linuxmail.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308030249.23566.tarmo@momentor.ee> Subject: Re: Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Aug 2003 23:50:41 -0000 On Sunday 03 August 2003 02:46, ...VpB ... wrote: > I have heard that somebody has compile a new kernel and he made Virtual > User ....and if somebody want to use exploit he will connect to the > virtual! can you tell me how to compile a kernel ??? I just have one but I > want one more kernel to create that virtual user ! There is an excellent overview of "how to compile a new kernel" @ freebsd docs: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html T