From owner-freebsd-security@FreeBSD.ORG Wed Dec 1 04:52:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC06316A4CF for ; Wed, 1 Dec 2004 04:52:04 +0000 (GMT) Received: from mail.ouestil.com (home.ouestil.com [81.56.27.190]) by mx1.FreeBSD.org (Postfix) with SMTP id 26A5A43D66 for ; Wed, 1 Dec 2004 04:52:03 +0000 (GMT) (envelope-from cmoulin@simplerezo.com) Received: (qmail 9683 invoked by uid 98); 1 Dec 2004 04:52:01 -0000 Received: from 192.168.1.153 by xeon-web.ouestil.com (envelope-from , uid 82) with qmail-scanner-1.24 (clamdscan: 0.80/533. f-prot: 4.1.1/3.13.4. spamassassin: 3.0.0. Clear:RC:1(192.168.1.153):. Processed in 0.254861 secs); 01 Dec 2004 04:52:01 -0000 X-Qmail-Scanner-Mail-From: cmoulin@simplerezo.com via xeon-web.ouestil.com X-Qmail-Scanner: 1.24 (Clear:RC:1(192.168.1.153):. Processed in 0.254861 secs) Received: from unknown (HELO nbferrari) (192.168.1.153) by mail.ouestil.com with SMTP; 1 Dec 2004 04:52:01 -0000 From: =?iso-8859-1?Q?Cl=E9ment_MOULIN?= To: , , Date: Wed, 1 Dec 2004 05:51:35 +0100 Organization: SimpleRezo MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook, Build 11.0.6353 thread-index: AcTXYW7hlr9cPZCNRce1VhCPPF760Q== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Qmail-Scanner-Message-ID: <11018767216989675@xeon-web.ouestil.com> Message-Id: <20041201045203.26A5A43D66@mx1.FreeBSD.org> Subject: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 04:52:04 -0000 Hi, I'm afraid about having find a freebsd 5X security issue. We have recently upgraded one gateway from 4.10 to 5.3... Following = network used: =20 [ISP]--xl1--[FW01]-----xl0--em0--[SR01] | |--fxp0--em0--[SR02] On fw01, we have one jail. =20 So fw01 is configured as a bridge on xl1,xl0,fxp0. Services works = (before and after upgrade). On 4.10, we used IPFilter as firewall and for network traffic = accounting. Since upgrade, INCOMING traffic accounting does not work anymore = (OUTGOING working fine)... Thinking this can be a ipfilter issue, and because we are planning to = change for great OpenBSD pf, we have try to do accounting with pf... but same behaviour occurs (tests have be done with big files). From/to inet fw01 jail sr01 sr02 Internet - ok ok KO KO Fw01 ok - ok ok ok Jail ok ok - ok ok Sr01 KO* ok ok - KO Sr02 KO* ok ok KO - * with pf enabled, scp connexion going "stalled" very quickly (stop = between 100 and 300 Kb of traffic) Worst thing, the "default rule" accounting (any to any) does not report "unreported" traffic... feels like rules are not processed. So I = deciding to make another test with pf. Adding "block in quick proto tcp from any to [jail_port] port smtp"; Testing: works fine. But we the same rule with the sr01 as destination host, IT DOESN'T WORK: from internet, fw01 or sr02, we can connect to the tcp port !!!!!!!!!!!!!!!!! It's not pf related, because, same behaviour occurs = with IPF!!!!!!!! Details fw01: running FreeBSD 5.3, GENERIC kernel, with modules =3D acpi, ipl, = bridge, nullfs and pf. Sr01: FreeBSD 5.2.1, custom kernel Sr02: FreeBSD 5.3, GENERIC kernel ------------------------------------pf.conf set loginterface fxp1 jail=3D**IP** sr01=3D**IP** sr02=3D**IP** #block in quick proto tcp from any to $sr01 port smtp pass quick from any to $jail keep state label 0 pass quick from $jail to any keep state label 1 pass quick from any to $sr02 keep state label 6 pass quick from $sr02 to any keep state label 7 pass quick from any to $sr01 keep state label 10 pass quick from $sr01 to any keep state label 11 pass all ------------------------------------ Seems to be bridge freebsd 5.3 support related...=20 Can someone take a look at this? Thanks! -- Cl=E9ment Moulin SimpleRezo - Simplifiez-vous le r=E9seau ! T=E9l.: +33 871 763 102 - Web: http://www.simplerezo.com/ From owner-freebsd-security@FreeBSD.ORG Wed Dec 1 13:21:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 050D416A4D0 for ; Wed, 1 Dec 2004 13:21:03 +0000 (GMT) Received: from mail.ouestil.com (home.ouestil.com [81.56.27.190]) by mx1.FreeBSD.org (Postfix) with SMTP id F2EF143D6E for ; Wed, 1 Dec 2004 13:21:01 +0000 (GMT) (envelope-from cmoulin@simplerezo.com) Received: (qmail 83376 invoked by uid 98); 1 Dec 2004 13:21:01 -0000 Received: from 192.168.1.153 by xeon-web.ouestil.com (envelope-from , uid 82) with qmail-scanner-1.24 (clamdscan: 0.80/533. f-prot: 4.1.1/3.13.4. spamassassin: 3.0.0. Clear:RC:1(192.168.1.153):. Processed in 0.272442 secs); 01 Dec 2004 13:21:01 -0000 X-Qmail-Scanner-Mail-From: cmoulin@simplerezo.com via xeon-web.ouestil.com X-Qmail-Scanner: 1.24 (Clear:RC:1(192.168.1.153):. Processed in 0.272442 secs) Received: from unknown (HELO nbferrari) (192.168.1.153) by mail.ouestil.com with SMTP; 1 Dec 2004 13:21:00 -0000 From: =?iso-8859-1?Q?Cl=E9ment_MOULIN?= To: Date: Wed, 1 Dec 2004 14:20:40 +0100 Organization: SimpleRezo MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcTXljgh4n2iD0UOSEOlZ+4RX159/QABtdlw X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <20041201110912.GA9840@kt-is.co.kr> X-Qmail-Scanner-Message-ID: <110190726069883358@xeon-web.ouestil.com> Message-Id: <20041201132101.F2EF143D6E@mx1.FreeBSD.org> cc: freebsd-security@freebsd.org cc: freebsd-questions@freebsd.org cc: freebsd-pf@freebsd.org Subject: RE: FreeBSD bridge + filtering, BIG problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 13:21:03 -0000 Pyun YongHyeon wrote: >Both pf and ipf can't create *states* in bridge mode. That restriction comes from bridge(4). Since pf/ipf couldn't create states it will drop the packet when it thinks the packet is in out of TCP window. > >If you want to use pf/ipf in bridge mode, don't use stateful inspection. >One more note: filtering works only for inbound traffics in bridge mode. If you're right, it SHOULD really be specified in bridge(4), but I'm not very sure about this, since I see states with pfctl and no packets are dropped in my case (except maybe in scp from internet to sr01) ! Finally, I have found the main problem. Both for ipf/pf, I have to set sysctl "net.link.ether.bridge.ipf" to 1... That does'nt exists on FreeBSD 4X. After that, incoming traffic is filtered (accounting works, blocking rules too). We REALLY need to specify this in FreeBSD handbook (sections 14.9 - firewalls and 24.5.4 - bridging) and Migration Guide of 5X, since it could be a big security hole. My last problem is that scping from sr01 to internet that stalled after 144KB exactly (internet to sr01 works) ! This is a pf issue, since it occurs only when pf is enabled. -- Clement Moulin SimpleRezo - Simplifiez-vous le reseau ! Web: http://www.simplerezo.com/ From owner-freebsd-security@FreeBSD.ORG Thu Dec 2 00:12:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8D6616A4E7; Thu, 2 Dec 2004 00:12:27 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A79E43D49; Thu, 2 Dec 2004 00:12:27 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id iB20CR4k039508; Thu, 2 Dec 2004 00:12:27 GMT (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id iB20CRv1039506; Thu, 2 Dec 2004 00:12:27 GMT (envelope-from security-advisories@freebsd.org) Date: Thu, 2 Dec 2004 00:12:27 GMT Message-Id: <200412020012.iB20CRv1039506@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-04:17.procfs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 00:12:27 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:17.procfs Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in procfs and linprocfs Category: core Module: sys Announced: 2004-12-01 Credits: Bryan Fulton, Ted Unangst, and the SWAT analysis tool Coverity, Inc. Affects: All FreeBSD releases Corrected: 2004-12-01 21:33:35 UTC (RELENG_5, 5.3-STABLE) 2004-12-01 21:34:23 UTC (RELENG_5_3, 5.3-RELEASE-p2) 2004-12-01 21:34:43 UTC (RELENG_5_2, 5.2.1-RELEASE-p13) 2004-12-01 21:33:57 UTC (RELENG_4, 4.10-STABLE) 2004-12-01 21:35:10 UTC (RELENG_4_10, 4.10-RELEASE-p5) 2004-12-01 21:35:57 UTC (RELENG_4_8, 4.8-RELEASE-p27) CVE Name: CAN-2004-1066 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The process file system, procfs(5), implements a view of the system process table inside the file system. It is normally mounted on /proc, and is required for the complete operation of programs such as ps(1) and w(1). The Linux process file system, linprocfs(5), emulates a subset of Linux's process file system and is required for the complete operation of some Linux binaries. II. Problem Description The implementation of the /proc/curproc/cmdline pseudofile in the procfs(5) file system on FreeBSD 4.x and 5.x, and of the /proc/self/cmdline pseudofile in the linprocfs(5) file system on FreeBSD 5.x reads a process' argument vector from the process address space. During this operation, a pointer was dereferenced directly without the necessary validation steps being performed. III. Impact A malicious local user could perform a local denial of service attack by causing a system panic; or he could read parts of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might contain a user-entered password. FreeBSD 4.x does not implement the /proc/self/cmdline pseudofile in its linprocfs(5) file system, and is therefore only affected if the procfs(5) file system is mounted. In its default configuration, FreeBSD 5.x does not utilize procfs(5) or linprocfs(5) and will therefore be unaffected by this vulnerability unless the configuration is changed. IV. Workaround Unmount the procfs and linprocfs file systems if they are mounted. Execute the following command as root: umount -A -t procfs,linprocfs Also, remove or comment out any lines in fstab(5) that reference `procfs' or `linprocfs', so that they will not be re-mounted at next reboot. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_3, RELENG_5_2, RELENG_4_10, or RELENG_4_8 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.8, 4.10, 5.2, and 5.3 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs4.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs4.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs5.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs5.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/miscfs/procfs/procfs_status.c 1.20.2.6 RELENG_4_10 src/UPDATING 1.73.2.90.2.6 src/sys/conf/newvers.sh 1.44.2.34.2.7 src/sys/miscfs/procfs/procfs_status.c 1.20.2.5.4.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.30 src/sys/conf/newvers.sh 1.44.2.29.2.28 src/sys/miscfs/procfs/procfs_status.c 1.20.2.4.8.2 RELENG_5 src/sys/compat/linprocfs/linprocfs.c 1.84.2.1 src/sys/fs/procfs/procfs_status.c 1.52.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.5 src/sys/compat/linprocfs/linprocfs.c 1.84.4.1 src/sys/conf/newvers.sh 1.62.2.15.2.7 src/sys/fs/procfs/procfs_status.c 1.52.4.1 RELENG_5_2 src/UPDATING 1.282.2.21 src/sys/compat/linprocfs/linprocfs.c 1.78.2.1 src/sys/conf/newvers.sh 1.56.2.20 src/sys/fs/procfs/procfs_status.c 1.49.2.1 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- iD8DBQFBrlpUFdaIBMps37IRAkqSAJ9bJt5VXd0g+OpZq76O84LGEtw3HgCfayws iuc0B5+J0K67LvDIUA6+wck= =2l7f -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Dec 2 01:36:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E581816A4CE for ; Thu, 2 Dec 2004 01:36:40 +0000 (GMT) Received: from onion.ish.org (onion.ish.org [219.118.161.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43C4C43D58 for ; Thu, 2 Dec 2004 01:36:40 +0000 (GMT) (envelope-from ishizuka@ish.org) Received: from localhost (ishizuka@localhost [IPv6:::1]) iB21advB001403 for ; Thu, 2 Dec 2004 10:36:39 +0900 (JST) (envelope-from ishizuka@ish.org) Date: Thu, 02 Dec 2004 10:36:39 +0900 (JST) Message-Id: <20041202.103639.59462426.ishizuka@ish.org> To: freebsd-security@freebsd.org From: Masachika ISHIZUKA In-Reply-To: <200412020012.iB20CRv1039506@freefall.freebsd.org> References: <200412020012.iB20CRv1039506@freefall.freebsd.org> X-PGP-Fingerprint20: 276D 697A C2CB 1580 C683 8F18 DA98 1A4A 50D2 C4CB X-PGP-Fingerprint16: C6 DE 46 24 D7 9F 22 EB 79 E2 90 AB 1B 9A 35 2E X-PGP-Public-Key: http://www.ish.org/pgp-public-key.txt X-URL: http://www.ish.org/ X-Mailer: Mew version 4.1 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:17.procfs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 01:36:41 -0000 > FreeBSD-SA-04:17.procfs Security Advisory > The FreeBSD Project Dear FreeBSD Security Advisories officer. I can not verify PGP signature of this mail. Is this a correct advisory ? -- ishizuka@ish.org From owner-freebsd-security@FreeBSD.ORG Thu Dec 2 07:09:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8CC616A4CE for ; Thu, 2 Dec 2004 07:09:28 +0000 (GMT) Received: from cicero1.cybercity.dk (cicero1.cybercity.dk [212.242.40.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B05B43D4C for ; Thu, 2 Dec 2004 07:09:23 +0000 (GMT) (envelope-from fj@batmule.dk) Received: from prefect.unknown.dk (dag.batmule.dk [212.242.86.227]) by cicero1.cybercity.dk (Postfix) with ESMTP id 1631A7E3B37; Thu, 2 Dec 2004 08:09:21 +0100 (CET) Received: from prefect.unknown.dk (localhost [127.0.0.1]) by prefect.unknown.dk (8.12.10/8.12.10) with ESMTP id iB279KWj060109; Thu, 2 Dec 2004 08:09:20 +0100 (CET) (envelope-from fj@prefect.unknown.dk) Received: (from fj@localhost) by prefect.unknown.dk (8.12.10/8.12.10/Submit) id iB279Kb5060108; Thu, 2 Dec 2004 08:09:20 +0100 (CET) (envelope-from fj) Date: Thu, 2 Dec 2004 08:09:20 +0100 From: Flemming Jacobsen To: Masachika ISHIZUKA Message-ID: <20041202070919.GA59960@prefect.unknown.dk> References: <200412020012.iB20CRv1039506@freefall.freebsd.org> <20041202.103639.59462426.ishizuka@ish.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041202.103639.59462426.ishizuka@ish.org> User-Agent: Mutt/1.4i X-Operating-System: FreeBSD 5.2.1-RELEASE-p8 i386 X-PGPkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDCC399C7 cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:17.procfs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 07:09:28 -0000 Masachika ISHIZUKA wrote: > > FreeBSD-SA-04:17.procfs Security Advisory > > The FreeBSD Project > I can not verify PGP signature of this mail. > Is this a correct advisory ? I get: gpg: Signature made Thu Dec 2 00:57:08 2004 CET using DSA key ID CA6CDFB2 gpg: Good signature from "FreeBSD Security Officer " I.e. no problem, checks out fine. Hyg' Flemming -- Flemming Jacobsen Email: fj@batmule.dk ---=== If speed kills, Windows users may live forever. ===--- From owner-freebsd-security@FreeBSD.ORG Thu Dec 2 08:54:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88BFD16A4CE for ; Thu, 2 Dec 2004 08:54:56 +0000 (GMT) Received: from krichy.tvnetwork.hu (krichy.tvnetwork.hu [80.95.68.194]) by mx1.FreeBSD.org (Postfix) with SMTP id E8E3943D4C for ; Thu, 2 Dec 2004 08:54:54 +0000 (GMT) (envelope-from krichy@tvnetwork.hu) Received: (qmail 22716 invoked by uid 1000); 2 Dec 2004 08:54:53 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Dec 2004 08:54:53 -0000 Date: Thu, 2 Dec 2004 09:54:53 +0100 (CET) From: Richard Kojedzinszky To: Flemming Jacobsen In-Reply-To: <20041202070919.GA59960@prefect.unknown.dk> Message-ID: References: <200412020012.iB20CRv1039506@freefall.freebsd.org> <20041202070919.GA59960@prefect.unknown.dk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:17.procfs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 08:54:56 -0000 Dear all, It validates the mail well for me, too. Kojedzinszky Richard TvNetWork Rt. E-mail: krichy@tvnetwork.hu PGP: 0x24E79141 Fingerprint = 6847 ECFF EF58 0C09 18A5 16CF 270F 0C6F 24E7 9141 On Thu, 2 Dec 2004, Flemming Jacobsen wrote: > Masachika ISHIZUKA wrote: > > > FreeBSD-SA-04:17.procfs Security Advisory > > > The FreeBSD Project > > I can not verify PGP signature of this mail. > > Is this a correct advisory ? > > I get: > gpg: Signature made Thu Dec 2 00:57:08 2004 CET using DSA key ID CA6CDFB2 > gpg: Good signature from "FreeBSD Security Officer " > > I.e. no problem, checks out fine. > > > Hyg' > Flemming > > -- > Flemming Jacobsen Email: fj@batmule.dk > ---=== If speed kills, Windows users may live forever. ===--- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Thu Dec 2 10:05:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78EB716A4CE for ; Thu, 2 Dec 2004 10:05:09 +0000 (GMT) Received: from onion.ish.org (onion.ish.org [219.118.161.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B7A943D60 for ; Thu, 2 Dec 2004 10:05:09 +0000 (GMT) (envelope-from ishizuka@ish.org) Received: from localhost (ishizuka@localhost [IPv6:::1]) iB2A58St039941 for ; Thu, 2 Dec 2004 19:05:08 +0900 (JST) (envelope-from ishizuka@ish.org) Date: Thu, 02 Dec 2004 19:05:07 +0900 (JST) Message-Id: <20041202.190507.104033179.ishizuka@ish.org> To: freebsd-security@freebsd.org From: Masachika ISHIZUKA In-Reply-To: References: <20041202.103639.59462426.ishizuka@ish.org> <20041202070919.GA59960@prefect.unknown.dk> X-PGP-Fingerprint20: 276D 697A C2CB 1580 C683 8F18 DA98 1A4A 50D2 C4CB X-PGP-Fingerprint16: C6 DE 46 24 D7 9F 22 EB 79 E2 90 AB 1B 9A 35 2E X-PGP-Public-Key: http://www.ish.org/pgp-public-key.txt X-URL: http://www.ish.org/ X-Mailer: Mew version 4.1 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:17.procfs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 10:05:09 -0000 > It validates the mail well for me, too. > >>>> FreeBSD-SA-04:17.procfs Security Advisory >>>> The FreeBSD Project >>> I can not verify PGP signature of this mail. >>> Is this a correct advisory ? >> >> I get: >> gpg: Signature made Thu Dec 2 00:57:08 2004 CET using DSA key ID CA6CDFB2 >> gpg: Good signature from "FreeBSD Security Officer " >> >> I.e. no problem, checks out fine. Hi, thank you for mail. I rechecked with gpg and found that mail is good. When I used pgp5 (unix50i1b), it could not check correctly. Sorry to disturb you. -- ishizuka@ish.org From owner-freebsd-security@FreeBSD.ORG Thu Dec 2 12:05:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 559AA16A4CE for ; Thu, 2 Dec 2004 12:05:44 +0000 (GMT) Received: from smtp.nlink.com.br (smtp.nlink.com.br [201.12.59.3]) by mx1.FreeBSD.org (Postfix) with SMTP id D67AA43D1F for ; Thu, 2 Dec 2004 12:05:42 +0000 (GMT) (envelope-from paulo@nlink.com.br) Received: (qmail 15621 invoked from network); 2 Dec 2004 12:05:40 -0000 Received: from unknown (HELO ?201.12.59.126?) (paulo@intra.nlink.com.br@201.12.59.126) by smtp.nlink.com.br with SMTP; 2 Dec 2004 12:05:40 -0000 Message-ID: <41AF050F.6060202@nlink.com.br> Date: Thu, 02 Dec 2004 09:05:35 -0300 From: Paulo Fragoso User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041016 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ondra Holecek References: <41A4A505.5070808@nlink.com.br> <41A4D82E.9070602@nlink.com.br> <41A4FCB5.2030500@deprese.net> In-Reply-To: <41A4FCB5.2030500@deprese.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: Jail fails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 12:05:44 -0000 Ondra Holecek wrote, On 24/11/2004 18:27: > Do you really need to create full system? I think it is better to jail > only one process, if it is possible of course... Yes, it will be a full web server runnnig ftp, apache, qmail, etc. Paulo. From owner-freebsd-security@FreeBSD.ORG Thu Dec 2 10:09:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D6EE816A4CE for ; Thu, 2 Dec 2004 10:09:58 +0000 (GMT) Received: from core.zp.ua (core.zp.ua [193.108.112.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D4F443D1D for ; Thu, 2 Dec 2004 10:09:01 +0000 (GMT) (envelope-from oleg@core.zp.ua) Received: from core.zp.ua (oleg@localhost [127.0.0.1]) by core.zp.ua with ESMTPœ id iB2A8lAu078882 for ; Thu, 2 Dec 2004 12:08:47 +0200 (EET) (envelope-from oleg@core.zp.ua)œ Received: (from oleg@localhost) by core.zp.ua id iB2A8lDU078881 for freebsd-security@freebsd.org; Thu, 2 Dec 2004 12:08:47 +0200 (EET) Date: Thu, 2 Dec 2004 12:08:47 +0200 From: "Oleg V. Nauman" To: freebsd-security@freebsd.org Message-ID: <20041202100846.GZ69425@core.zp.ua> Mail-Followup-To: freebsd-security@freebsd.org References: <20041202.103639.59462426.ishizuka@ish.org> <20041202070919.GA59960@prefect.unknown.dk> <20041202.190507.104033179.ishizuka@ish.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="xo44VMWPx7vlQ2+2" Content-Disposition: inline In-Reply-To: <20041202.190507.104033179.ishizuka@ish.org> User-Agent: Mutt/1.5.6i X-Mailman-Approved-At: Thu, 02 Dec 2004 14:01:49 +0000 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:17.procfs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 10:09:59 -0000 --xo44VMWPx7vlQ2+2 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 02, 2004 at 07:05:07PM +0900, Masachika ISHIZUKA wrote: > > It validates the mail well for me, too. > >=20 > >>>> FreeBSD-SA-04:17.procfs Security Advis= ory > >>>> The FreeBSD Pr= oject > >>> I can not verify PGP signature of this mail. > >>> Is this a correct advisory ? > >> > >> I get: > >> gpg: Signature made Thu Dec 2 00:57:08 2004 CET using DSA key ID CA= 6CDFB2 > >> gpg: Good signature from "FreeBSD Security Officer " > >> > >> I.e. no problem, checks out fine. >=20 > Hi, thank you for mail. > I rechecked with gpg and found that mail is good. > When I used pgp5 (unix50i1b), it could not check correctly. pgp6 couldn't check PGP signature from that message also. > Sorry to disturb you. > --=20 > ishizuka@ish.org > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --=20 NO37-RIPE --xo44VMWPx7vlQ2+2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQa7pnvC2y8Tb/5DvAQFOiwP/aN4oORnOjtFcmb5lpYGxXF71SAROquuN Pg+ahO1a25gjrrV9vUemtdL6/djK2Ic0FLH6+Y2QbTbPem2I11Pgelu26oW1VdTi X5DpX3WOb3ZpZ55g1NtY7lRlAw7rzv+TZO8zNFMaP6vqVL++dBiABteK2xs/ttlP xXJCCs1ki5M= =Q7Eq -----END PGP SIGNATURE----- --xo44VMWPx7vlQ2+2-- From owner-freebsd-security@FreeBSD.ORG Sat Dec 4 06:24:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2589716A4CE for ; Sat, 4 Dec 2004 06:24:28 +0000 (GMT) Received: from mxfep02.bredband.com (mxfep02.bredband.com [195.54.107.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C26843D58 for ; Sat, 4 Dec 2004 06:24:27 +0000 (GMT) (envelope-from jesper@hackunite.net) Received: from mail.hackunite.net ([213.112.198.212] [213.112.198.212]) by mxfep02.bredband.com with SMTP id <20041204062426.TUBB6820.mxfep02.bredband.com@mail.hackunite.net> for ; Sat, 4 Dec 2004 07:24:26 +0100 Received: from 213.112.198.152 (SquirrelMail authenticated user z3l3zt@hackunite.net) by mail.hackunite.net with HTTP; Sat, 4 Dec 2004 07:24:27 +0100 (CET) Message-ID: <1164.213.112.198.152.1102141467.squirrel@mail.hackunite.net> Date: Sat, 4 Dec 2004 07:24:27 +0100 (CET) From: "Jesper Wallin" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: SquirrelMail 1.4.2 X-Priority: 3 Importance: Normal Subject: Is my Apache server running as the root user or not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 06:24:28 -0000 Heya.. By reading my /usr/local/etc/apache2/httpd.conf, I can find out that my Apache is running as the user "www" and the group "www" .. Yet, when I run sockstat, it tells me one of the forks are runned as root and listening on port 80 as well as the other forks are runned by www:www.. If I got a lot of users connecting to my server on port 80, will thier requests ever be answered by the root fork or the www:www forks? --- snip --- [root@ninja:~]# sockstat -l4p80 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www httpd 18149 3 tcp4 *:80 *:* www httpd 18148 3 tcp4 *:80 *:* www httpd 18147 3 tcp4 *:80 *:* www httpd 14055 3 tcp4 *:80 *:* www httpd 14054 3 tcp4 *:80 *:* www httpd 14053 3 tcp4 *:80 *:* www httpd 14052 3 tcp4 *:80 *:* www httpd 14051 3 tcp4 *:80 *:* root httpd 14050 3 tcp4 *:80 *:* [root@ninja:~]# --- snip --- Best regards, Jesper Wallin From owner-freebsd-security@FreeBSD.ORG Sat Dec 4 11:13:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 801D416A4CE for ; Sat, 4 Dec 2004 11:13:44 +0000 (GMT) Received: from goofy.cultdeadsheep.org (charon.cultdeadsheep.org [80.65.226.72]) by mx1.FreeBSD.org (Postfix) with SMTP id 2745E43D5A for ; Sat, 4 Dec 2004 11:13:42 +0000 (GMT) (envelope-from sheep.killer@cultdeadsheep.org) Received: (qmail 11274 invoked by uid 89); 4 Dec 2004 12:13:40 +0100 Received: from sheep.killer@cultdeadsheep.org by goofy.cultdeadsheep.org by uid 89 with qmail-scanner-1.22 (clamdscan: 0.74. spamassassin: 2.63. Clear:RC:1(192.168.0.8):. Processed in 0.03974 secs); 04 Dec 2004 11:13:40 -0000 X-Qmail-Scanner-Mail-From: sheep.killer@cultdeadsheep.org via goofy.cultdeadsheep.org X-Qmail-Scanner: 1.22 (Clear:RC:1(192.168.0.8):. Processed in 0.03974 secs) Received: from unknown (HELO persephone.cultdeadsheep.org) (192.168.0.8) by goofy.cultdeadsheep.org with SMTP; 4 Dec 2004 12:13:40 +0100 Received: (qmail 74712 invoked from network); 4 Dec 2004 12:12:51 +0100 Received: from unknown (HELO localhost) (192.168.0.4) by persephone.cultdeadsheep.org with SMTP; 4 Dec 2004 12:12:51 +0100 Date: Sat, 4 Dec 2004 12:14:05 +0100 From: Clement Laforet To: freebsd-security@freebsd.org Message-Id: <20041204121405.5e73fc66.sheep.killer@cultdeadsheep.org> In-Reply-To: <1164.213.112.198.152.1102141467.squirrel@mail.hackunite.net> References: <1164.213.112.198.152.1102141467.squirrel@mail.hackunite.net> Organization: tH3 cUlt 0f tH3 d3@d sH33p X-Mailer: Sylpheed version 1.0.0beta1 (GTK+ 1.2.10; i386-portbld-freebsd5.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Is my Apache server running as the root user or not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 11:13:44 -0000 On Sat, 4 Dec 2004 07:24:27 +0100 (CET) "Jesper Wallin" wrote: > Heya.. > > By reading my /usr/local/etc/apache2/httpd.conf, I can find out that > my Apache is running as the user "www" and the group "www" .. Yet, > when I run sockstat, it tells me one of the forks are runned as root > and listening on port 80 as well as the other forks are runned by > www:www.. If I got a lot of users connecting to my server on port 80, > will thier requests ever be answered by the root fork or the www:www > forks? Process owned by root is the parent process. It doesn't actually handled connections, only sets up socket(s) at initialization stage. Children processes (owned by your User/Group settings) accept new connections and deal with the requests. Since you need to be root be able to bind on port 80, parent process is owned by root. clem -- From owner-freebsd-security@FreeBSD.ORG Sat Dec 4 09:10:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF8CA16A577 for ; Sat, 4 Dec 2004 09:10:02 +0000 (GMT) Received: from 168.18.broadband2.iol.cz (27.240.broadband2.iol.cz [83.208.240.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C2D843D49 for ; Sat, 4 Dec 2004 09:10:02 +0000 (GMT) (envelope-from bln@deprese.net) Received: from [172.16.2.2] (helo=[172.16.2.2]) by 168.18.broadband2.iol.cz with asmtp (Exim 4.41) id 1CaVvU-0008VW-BZ for freebsd-security@freebsd.org; Sat, 04 Dec 2004 10:10:00 +0100 Message-ID: <41B17EE5.90707@deprese.net> Date: Sat, 04 Dec 2004 10:09:57 +0100 From: Ondra Holecek User-Agent: Mozilla Thunderbird 0.8 (X11/20041014) X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org References: <1164.213.112.198.152.1102141467.squirrel@mail.hackunite.net> In-Reply-To: <1164.213.112.198.152.1102141467.squirrel@mail.hackunite.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 04 Dec 2004 13:33:10 +0000 Subject: Re: Is my Apache server running as the root user or not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 09:10:03 -0000 Hi, Apache has to be started as root, because it needs to bind to port 80 (ie. <1024). But this process doesn't serve clients, it only forks and then the id of forked process is changed to www and then it can serve clients... Jesper Wallin wrote: > Heya.. > > By reading my /usr/local/etc/apache2/httpd.conf, I can find out that my Apache is > running as the user "www" and the group "www" .. Yet, when I run sockstat, it tells me > one of the forks are runned as root and listening on port 80 as well as the other forks > are runned by www:www.. If I got a lot of users connecting to my server on port 80, will > thier requests ever be answered by the root fork or the www:www forks? > > --- snip --- > [root@ninja:~]# sockstat -l4p80 > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www httpd > 18149 3 tcp4 *:80 *:* > www httpd 18148 3 tcp4 *:80 *:* > www httpd 18147 3 tcp4 *:80 *:* > www httpd 14055 3 tcp4 *:80 *:* > www httpd 14054 3 tcp4 *:80 *:* > www httpd 14053 3 tcp4 *:80 *:* > www httpd 14052 3 tcp4 *:80 *:* > www httpd 14051 3 tcp4 *:80 *:* > root httpd 14050 3 tcp4 *:80 *:* > [root@ninja:~]# > --- snip --- > > > Best regards, > Jesper Wallin > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- # If it happens once, it's a bug. # If it happens twice, it's a feature. # If it happens more then twice, it's a design philosophy. From owner-freebsd-security@FreeBSD.ORG Sat Dec 4 09:47:53 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C3D316A4CF for ; Sat, 4 Dec 2004 09:47:53 +0000 (GMT) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id C239943D46 for ; Sat, 4 Dec 2004 09:47:50 +0000 (GMT) (envelope-from sirmoo@cowbert.net) Received: (qmail 14632 invoked by uid 1001); 4 Dec 2004 09:47:50 -0000 Date: Sat, 4 Dec 2004 04:47:49 -0500 From: "Peter C. Lai" To: Jesper Wallin Message-ID: <20041204094749.GA268@cowbert.net> References: <1164.213.112.198.152.1102141467.squirrel@mail.hackunite.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1164.213.112.198.152.1102141467.squirrel@mail.hackunite.net> User-Agent: Mutt/1.5.6i X-Mailman-Approved-At: Sat, 04 Dec 2004 13:33:10 +0000 cc: freebsd-questions@freebsd.org Subject: Re: Is my Apache server running as the root user or not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 09:47:53 -0000 This isn't on-topic for the list, but I'll answer it anyway. The Apache parent runs as root so that it can attach to port 80. After a packet reaches port 80, Apache will hand it off to a child process running as www. The parent process also does other housekeeping duties as you would expect from any other parent process. On Sat, Dec 04, 2004 at 07:24:27AM +0100, Jesper Wallin wrote: > Heya.. > > By reading my /usr/local/etc/apache2/httpd.conf, I can find out that my Apache is > running as the user "www" and the group "www" .. Yet, when I run sockstat, it tells me > one of the forks are runned as root and listening on port 80 as well as the other forks > are runned by www:www.. If I got a lot of users connecting to my server on port 80, will > thier requests ever be answered by the root fork or the www:www forks? > > --- snip --- > [root@ninja:~]# sockstat -l4p80 > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www httpd > 18149 3 tcp4 *:80 *:* > www httpd 18148 3 tcp4 *:80 *:* > www httpd 18147 3 tcp4 *:80 *:* > www httpd 14055 3 tcp4 *:80 *:* > www httpd 14054 3 tcp4 *:80 *:* > www httpd 14053 3 tcp4 *:80 *:* > www httpd 14052 3 tcp4 *:80 *:* > www httpd 14051 3 tcp4 *:80 *:* > root httpd 14050 3 tcp4 *:80 *:* > [root@ninja:~]# > --- snip --- > > > Best regards, > Jesper Wallin > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ From owner-freebsd-security@FreeBSD.ORG Sat Dec 4 18:49:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96B5D16A4CE for ; Sat, 4 Dec 2004 18:49:32 +0000 (GMT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27C5243D70 for ; Sat, 4 Dec 2004 18:49:32 +0000 (GMT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.13.1/8.13.1) with ESMTP id iB4IlFwB031291; Sat, 4 Dec 2004 13:47:15 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)iB4IlFwa031288; Sat, 4 Dec 2004 18:47:15 GMT (envelope-from robert@fledge.watson.org) Date: Sat, 4 Dec 2004 18:47:15 +0000 (GMT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jesper Wallin In-Reply-To: <1164.213.112.198.152.1102141467.squirrel@mail.hackunite.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Is my Apache server running as the root user or not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 18:49:32 -0000 On Sat, 4 Dec 2004, Jesper Wallin wrote: > > By reading my /usr/local/etc/apache2/httpd.conf, I can find out that my > Apache is running as the user "www" and the group "www" .. Yet, when I > run sockstat, it tells me one of the forks are runned as root and > listening on port 80 as well as the other forks are runned by www:www.. > If I got a lot of users connecting to my server on port 80, will thier > requests ever be answered by the root fork or the www:www forks? As other posts have pointed out, Apache runs initially as root in order to bind a privileged port. What hasn't be mentioned explicitly is that the credential of the process creating the initial socket is cached at creation time, and that credential is what is later reported. The credential is inheritted by any sockets accepted from a listen socket, so that credential keeps being used. Since there isn't a 1:1 mapping ofsockets to processes, or even a many:1 mapping, there's not really any other credential around that "makes sense" to report. You can tweak the OS policy on what id's can bind what ports using sysctl; the ip(4) man page has details. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Principal Research Scientist, McAfee Research > > --- snip --- > [root@ninja:~]# sockstat -l4p80 > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www httpd > 18149 3 tcp4 *:80 *:* > www httpd 18148 3 tcp4 *:80 *:* > www httpd 18147 3 tcp4 *:80 *:* > www httpd 14055 3 tcp4 *:80 *:* > www httpd 14054 3 tcp4 *:80 *:* > www httpd 14053 3 tcp4 *:80 *:* > www httpd 14052 3 tcp4 *:80 *:* > www httpd 14051 3 tcp4 *:80 *:* > root httpd 14050 3 tcp4 *:80 *:* > [root@ninja:~]# > --- snip --- > > > Best regards, > Jesper Wallin > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >