From owner-freebsd-security@FreeBSD.ORG Sun May 7 20:15:14 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2625016A430 for ; Sun, 7 May 2006 20:15:14 +0000 (UTC) (envelope-from bigby@ephemeron.org) Received: from dsl.ephemeron.org (dsl092-035-072.lax1.dsl.speakeasy.net [66.92.35.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E0B943D45 for ; Sun, 7 May 2006 20:15:13 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (root@home.fake.net [10.0.2.3]) by dsl.ephemeron.org (8.12.11/8.12.11) with ESMTP id k47KFBUl032735; Sun, 7 May 2006 13:15:11 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (bigby@localhost [127.0.0.1]) by home.ephemeron.org (8.13.4/8.13.4) with ESMTP id k47KFhxr027241; Sun, 7 May 2006 13:15:43 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.13.4/8.13.4/Submit) with ESMTP id k47KFgjm027238; Sun, 7 May 2006 13:15:43 -0700 (PDT) (envelope-from bigby@ephemeron.org) X-Authentication-Warning: home.ephemeron.org: bigby owned process doing -bs Date: Sun, 7 May 2006 13:15:42 -0700 (PDT) From: Bigby Findrake To: "No@SPAM@mgEDV.net" In-Reply-To: <000001c66f7f$b148b620$01010101@avalon.lan> Message-ID: <20060507131243.U26146@home.ephemeron.org> References: <000001c66f7f$b148b620$01010101@avalon.lan> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: RE: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 May 2006 20:15:18 -0000 On Thu, 4 May 2006, No@SPAM@mgEDV.net wrote: > >> I recently did something like this. I have a webserver in a jail that >> needs to talk to a database, and the webserver is the only thing that >> should talk to the databse. > >> My solution was to use 2 jails: one for the webserver, and another for the > >> database. > >> Jail 1: >> * runs webserver >> * binds to real interface with real, routable IP > >> Jail 2: >> * runs database server >> * binds to loopback interface, isn't directly reachable >> from outside the box > > just to clarify that for me: you did setup this layout or you > tried to setup this? as i read it, i understand that you did! I did set it up. My scenario is up and functioning in production. > i tried exactly the same but currently jails are bound to the specific > ip-address assigned with them so i wonder, how the webserver on a real > ip-address can communicate with the database bound to the loopback ip? > if you could kindly tell, how you solved this issue (we're using 6.1). Packets leaving a jail are not limited to leaving the host machine on the same interface that the jail is bound to. The jail is limited to sending packets from, and receiving packets to the IP address that its bound to, but those packets can go out, or come in, any interface on the host machine. You don't need to do any special routing or firewall or NAT or anything to get a jail to be able to talk to the host. /-------------------------------------------------------------------------/ Psychiatrists say that one out of four people are mentally ill. Check three friends. If they're OK, you're it. finger://bigby@ephemeron.org http://www.ephemeron.org/~bigby/ irc://irc.ephemeron.org/#the_pub news://news.ephemeron.org/alt.lemurs /-------------------------------------------------------------------------/ From owner-freebsd-security@FreeBSD.ORG Sun May 7 20:16:57 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9AEE16A402 for ; Sun, 7 May 2006 20:16:57 +0000 (UTC) (envelope-from bigby@ephemeron.org) Received: from dsl.ephemeron.org (dsl092-035-072.lax1.dsl.speakeasy.net [66.92.35.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3822543D48 for ; Sun, 7 May 2006 20:16:57 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (root@home.fake.net [10.0.2.3]) by dsl.ephemeron.org (8.12.11/8.12.11) with ESMTP id k47KGuWK032758; Sun, 7 May 2006 13:16:56 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (bigby@localhost [127.0.0.1]) by home.ephemeron.org (8.13.4/8.13.4) with ESMTP id k47KHTBv027278; Sun, 7 May 2006 13:17:29 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.13.4/8.13.4/Submit) with ESMTP id k47KHTRW027275; Sun, 7 May 2006 13:17:29 -0700 (PDT) (envelope-from bigby@ephemeron.org) X-Authentication-Warning: home.ephemeron.org: bigby owned process doing -bs Date: Sun, 7 May 2006 13:17:29 -0700 (PDT) From: Bigby Findrake To: freebsd-security@freebsd.org, nospam@mgedv.net In-Reply-To: <200605041415.k44EFYKF043028@lurza.secnetix.de> Message-ID: <20060505142945.J26390@home.ephemeron.org> References: <200605041415.k44EFYKF043028@lurza.secnetix.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 May 2006 20:16:57 -0000 On Thu, 4 May 2006, Oliver Fromme wrote: > No@SPAM@mgEDV.net wrote: > > > > > I recently did something like this. I have a webserver in a jail that > > > needs to talk to a database, and the webserver is the only thing that > > > should talk to the databse. > > > > > My solution was to use 2 jails: one for the webserver, and another for the > > > > > database. > > > > > Jail 1: > > > * runs webserver > > > * binds to real interface with real, routable IP > > > > > Jail 2: > > > * runs database server > > > * binds to loopback interface, isn't directly reachable > > > from outside the box > > > > just to clarify that for me: you did setup this layout or you > > tried to setup this? as i read it, i understand that you did! > > > > i tried exactly the same but currently jails are bound to the specific > > ip-address assigned with them so i wonder, how the webserver on a real > > ip-address can communicate with the database bound to the loopback ip? > > if you could kindly tell, how you solved this issue (we're using 6.1). > > In fact, it is a good idea to _always_ bind jails to non- > routable loopback IPs. For example: > > jail 1 (webserver) on 127.0.0.2 > jail 2 (database) on 127.0.0.3 > > If a service needs to be accessible from the outside, you > can use IPFW FWD rules to forward packets destined to the > real IP to the jail's loopback IP. Wouldn't you need to use some form of NAT and not forwarding? This is from IPFW(8) (6.0-RELEASE): The fwd action does not change the contents of the packet at all. In particular, the destination address remains unmodified, so packets forwarded to another system will usually be rejected by that system unless there is a matching rule on that system to capture them. For packets forwarded locally, the local address of the socket will be set to the original destination address of the packet. It seems to me that the jail might reject the packets, and even if it didn't, would the replies from the jail get the right source address put on them? I haven't tried what you're talking about, so I'm just guessing. Forwarding doesn't seem to be the way to accomplish what you're talking about. /-------------------------------------------------------------------------/ A train stops at a train station, a bus stops at a bus station. On my desk, I have a workstation... finger://bigby@ephemeron.org http://www.ephemeron.org/~bigby/ irc://irc.ephemeron.org/#the_pub news://news.ephemeron.org/alt.lemurs /-------------------------------------------------------------------------/ From owner-freebsd-security@FreeBSD.ORG Sun May 7 20:34:15 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D84A116A436 for ; Sun, 7 May 2006 20:34:15 +0000 (UTC) (envelope-from bigby@ephemeron.org) Received: from dsl.ephemeron.org (dsl092-035-072.lax1.dsl.speakeasy.net [66.92.35.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54E5143D6D for ; Sun, 7 May 2006 20:34:12 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (root@home.fake.net [10.0.2.3]) by dsl.ephemeron.org (8.12.11/8.12.11) with ESMTP id k47KYBHb033115 for ; Sun, 7 May 2006 13:34:12 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (bigby@localhost [127.0.0.1]) by home.ephemeron.org (8.13.4/8.13.4) with ESMTP id k47KYiJa027993 for ; Sun, 7 May 2006 13:34:44 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.13.4/8.13.4/Submit) with ESMTP id k47KYirG027989 for ; Sun, 7 May 2006 13:34:44 -0700 (PDT) (envelope-from bigby@ephemeron.org) X-Authentication-Warning: home.ephemeron.org: bigby owned process doing -bs Date: Sun, 7 May 2006 13:34:44 -0700 (PDT) From: Bigby Findrake To: freebsd-security@freebsd.org Message-ID: <20060507133430.V26146@home.ephemeron.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: RE: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 May 2006 20:34:21 -0000 On Sat, 6 May 2006, No@SPAM@mgEDV.net wrote: >> Bigby Findrake >> Sent: Friday, May 05, 2006 11:42 PM > >> On Thu, 4 May 2006, Oliver Fromme wrote: >>>> 192.168.10.1 = jail ip of the ws >>>> 127.0.0.1 = jail ip of the db >>> >>> Don't use those IPs. In particular it's probably not a >>> good idea to use localhost as a jail IP. Use only loopback >>> IPs (other than localhost), like the example that I wrote >>> above. >> >> I agree with Oliver here - there's a difference between using >> the loopback >> adapter and using the localhost (127.0.0.1) IP. I would strongly >> recommend against using localhost as a jail IP unless you >> have a specific >> reason *to* do that - in other words, just assign an alias to >> the loopback >> adapter and use that alias for the jail. >> >> One reason that comes to mind immediately in response to the unasked >> question, "why not use the loopback address for a jail?" is >> that using the >> loopback address for a jail makes it hard to seperate (for >> use by packet >> filters, for instance) host machine traffic from jail machine traffic. >> >> There are probably other good reasons for *not* using the >> loopback address >> for a jail as well, but I can't think of any of them. >> >>> And of course you should use appropriate packetfilter rules >> to enforce >>> what kind of access between the jails is allowed. Only >> allow what you >>> need. >> >> I agree again. If you're using the jail for security, lock >> it down, only >> allow traffic that should be going to (and from!) the jail, >> and disallow >> everything else. Servers tend to accept connections, and not >> initiate >> them. If this is the case for your server processes, use stateful >> firewall rules to enforce the direction of connections - for >> instance, you >> might want to allow connections to port 80 on your jail, but >> you probably >> wouldn't want people launching attacks *from* port 80 on your >> jail once >> they compromise your webserver. Assume that your jail will >> get hacked, >> and do all you can to prevent that jail from being a useful >> staging point >> for your attackers next wave of attacks. >> > well, with your configurations i'm really concerned about the > overlapping configurations of ip-addresses on the loopback- > adapter. > lo0 is originally configured with 127/8 and i'm not sure, if > there's not a chance to confuse something if you add ip's in > the same range (127.0.1.1/32). There isn't. We use IP aliases on physical adapters in the same manner all the time. eg: em0: flags=8843 mtu 1500 options=b inet6 fe80::20e:cff:fe64:dc95%em0 prefixlen 64 scopeid 0x1 inet 10.0.2.3 netmask 0xffffff00 broadcast 10.0.2.255 inet 10.0.2.1 netmask 0xffffffff broadcast 10.0.2.1 No problem whatsoever. > as far as i read on other posts > about overlapping ip's it's not recommended (at least by some > guys). I can't think of any reason not to. > what about configuring something like: > > ifconfig lo1 plumb > ifconfig lo1 10.10.10.1 netmask 255.255.255.252 up > ... and so on for futher jails? There's no reason to keep the jail on the loopback adapter in the 127/8 range. Set its IP as you would any other. An RFC1918 address seems perfect, and that's what I used. /-------------------------------------------------------------------------/ "I dread success. To have succeeded is to have finished one's business on earth, like the male spider, who is killed by the female the moment he has succeeded in his courtship. I like a state of continual becoming, with a goal in front and not behind." -- George Bernard Shaw finger://bigby@ephemeron.org http://www.ephemeron.org/~bigby/ irc://irc.ephemeron.org/#the_pub news://news.ephemeron.org/alt.lemurs /-------------------------------------------------------------------------/ From owner-freebsd-security@FreeBSD.ORG Mon May 8 07:47:22 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62DEE16A403 for ; Mon, 8 May 2006 07:47:22 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7AEF443D45 for ; Mon, 8 May 2006 07:47:21 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (tgbshk@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k487lDoh085855 for ; Mon, 8 May 2006 09:47:19 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k487lD2U085854; Mon, 8 May 2006 09:47:13 +0200 (CEST) (envelope-from olli) Date: Mon, 8 May 2006 09:47:13 +0200 (CEST) Message-Id: <200605080747.k487lD2U085854@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG In-Reply-To: <20060505142945.J26390@home.ephemeron.org> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Mon, 08 May 2006 09:47:19 +0200 (CEST) X-Mailman-Approved-At: Mon, 08 May 2006 11:25:45 +0000 Cc: Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 07:47:22 -0000 Bigby Findrake wrote: > Oliver Fromme wrote: > > In fact, it is a good idea to _always_ bind jails to non- > > routable loopback IPs. For example: > > > > jail 1 (webserver) on 127.0.0.2 > > jail 2 (database) on 127.0.0.3 > > > > If a service needs to be accessible from the outside, you > > can use IPFW FWD rules to forward packets destined to the > > real IP to the jail's loopback IP. > > Wouldn't you need to use some form of NAT and not forwarding? This is > from IPFW(8) (6.0-RELEASE): > > The fwd action does not change the contents of the packet at all. > In particular, the destination address remains unmodified, so > packets forwarded to another system will usually be rejected by > that system unless there is a matching rule on that system to > capture them. For packets forwarded locally, the local address > of the socket will be set to the original destination address of > the packet. > > It seems to me that the jail might reject the packets, No, a jail doesn't reject anything, because jails don't have their own TCP/IP stack or routing table (actually it would be very nice if they did). Trust me, it works. I've got such setups running in production. ;-) > and even if it > didn't, would the replies from the jail get the right source address put > on them? That's right. When processes within a jail open a network socket, those sockets are forced to bind to the jail's IP address, so all packets originating from that jail will have the jail's IP as the source address. Therefore you have to install a NAT rule. > Forwarding doesn't seem to be the way to accomplish what you're talking > about. Yes, packet forwarding is the perfect way to accomplish it. It's also very efficient; the overhead is negligible. I always recommend to use loopback IPs for jails, because it is the most secure way to setup jails, since loopback IPs are guaranteed to never leave the local machine. So an attacker who manages to take control of the jail (in whole or partly) cannot use it to launch further attacks. Of course, that's only an _additional_ safety measure, not the only one. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "What is this talk of 'release'? We do not make software 'releases'. Our software 'escapes', leaving a bloody trail of designers and quality assurance people in its wake." From owner-freebsd-security@FreeBSD.ORG Mon May 8 12:11:10 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BABF16A406 for ; Mon, 8 May 2006 12:11:10 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4645143D72 for ; Mon, 8 May 2006 12:11:05 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (zsxery@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k48CAxQQ094361; Mon, 8 May 2006 14:11:04 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k48CAtMj094360; Mon, 8 May 2006 14:10:55 +0200 (CEST) (envelope-from olli) Date: Mon, 8 May 2006 14:10:55 +0200 (CEST) Message-Id: <200605081210.k48CAtMj094360@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG, nospam@mgedv.net In-Reply-To: <000101c67100$91e4fdc0$01010101@avalon.lan> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Mon, 08 May 2006 14:11:04 +0200 (CEST) Cc: Subject: Re: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG, nospam@mgedv.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 12:11:15 -0000 No@SPAM@mgEDV.net wrote: > well, with your configurations i'm really concerned about the > overlapping configurations of ip-addresses on the loopback- > adapter. That's standard. It's completely normal to configure multiple IP addresses on the same interface, no matter whether those addresses are from different subnets or from the same subnet. > lo0 is originally configured with 127/8 and i'm not sure, if > there's not a chance to confuse something if you add ip's in > the same range (127.0.1.1/32). No. It's a standard configuration. There's no part of the system that "confuses something". > as far as i read on other posts > about overlapping ip's it's not recommended What other posts do you mean? I don't see any reference. > (at least by some guys). Then I guess those guys must be wrong. > ifconfig lo1 plumb > ifconfig lo1 10.10.10.1 netmask 255.255.255.252 up > ... and so on for futher jails? Now _that_ is confusing, and it doesn't increase your security. > also, the handling of 127/8 would be much clearer in the fw, > as far as my understandings are. Of course you should have appropriate packet filter rules to handle all your traffic, including traffic on 127/8. > to your security concerns about jailed processes, that are overtaken > by hackers: my primary goal is not protecting the box (yes, we > backup them ,-) ), it's more protecting the data on it. In order to protect the data on it, you have to protect the box. And a backup alone provides zero protection against attacks, and doesn't secure your data. If your data is precious, then at the very least you should use a host IDS (e.g. tripwire, or even mtree which is in the base system). > and if > i have very good and tight jails and an attacker is able to eg. > download all customer data by code injection on the http-frontend, > i guess a less tight jail is one of my last problems! > and the jail can be as tight as possible, if there's just one > php-script that fails, all the jailing/fw-rules don't help, because > the communication between ws<--->db has to work anyway. Being able to download all data is one thing. Basically, you should assume that all data on a web server is public. That's especially true when you use bug-prone stuff like PHP. However, being able to _modify_ data (e.g. "deface" a web site or change database content) is another thing. I guess you do not want that at all. You are right that jails are not the best solution for all of those problems. The main purpose of jails is to provide a way to isolate and separate services from another and from the host system, and to minimize damage in the case that an attacker is able to exploit a hole in one of the services. You are right saying that _if_ there is a hole in a PHP script, the jail won't protect the data which is accessible from within the jail. But the jail _will_ protect all other data on the same machine (provided that it is setup correctly with a reasonable plan and design). That's what jails are all about. That's why it is a good idea to make them as tight as possible. Using loopback IPs is one step (of many) that can be useful for tightening them. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "[...] one observation we can make here is that Python makes an excellent pseudocoding language, with the wonderful attribute that it can actually be executed." -- Bruce Eckel From owner-freebsd-security@FreeBSD.ORG Mon May 8 14:01:46 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB4C416A411 for ; Mon, 8 May 2006 14:01:46 +0000 (UTC) (envelope-from nospam@mgedv.net) Received: from mgedv.at (mail.mgedv.at [195.3.87.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3002543D53 for ; Mon, 8 May 2006 14:01:45 +0000 (GMT) (envelope-from nospam@mgedv.net) Received: from metis (localhost [127.0.0.1]) by mgedv.at (SMTPServer) with ESMTP id 7FD5E186864 for ; Mon, 8 May 2006 16:01:29 +0200 (MEST) From: "No@SPAM@mgEDV.net" To: Date: Mon, 8 May 2006 16:01:41 +0200 Message-ID: <000001c672a7$eedf8a10$01010101@avalon.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <200605081210.k48CAtMj094360@lurza.secnetix.de> Thread-Index: AcZymRtJk8AoI3L1QEKXKZ7GbglsJwADcQDA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: Subject: RE: Jails and loopback interfaces X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nospam@mgedv.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 14:01:47 -0000 well, i got your ideas, btw, could someone please clarify this for me: i configured a separate interface for the jailed dns-server: ifconfig lo5 plumb ifconfig lo5 10.10.5.1 netmask 255.255.255.0 up the nameserver listenes on 10.10.5.1#55053 (everything's fine there). although the dns-server is bound to the specific ip-address, which again is bound to a separate interface, i do not see just one packet with tcpdump on this interface. even the loopback interface lo0 does not show anything. instead, the packets are generated from my lan-interface myk0, which has a route to the forwarder. why are the packets generated on an interface, that the server is not bound to and there is no redirect for? From owner-freebsd-security@FreeBSD.ORG Mon May 8 14:22:16 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C32F616A417 for ; Mon, 8 May 2006 14:22:16 +0000 (UTC) (envelope-from nospam@mgedv.net) Received: from mgedv.at (mail.mgedv.at [195.3.87.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2525D43D68 for ; Mon, 8 May 2006 14:22:13 +0000 (GMT) (envelope-from nospam@mgedv.net) Received: from metis (localhost [127.0.0.1]) by mgedv.at (SMTPServer) with ESMTP id C775E186864 for ; Mon, 8 May 2006 16:21:58 +0200 (MEST) From: "No@SPAM@mgEDV.net" To: Date: Mon, 8 May 2006 16:22:10 +0200 Message-ID: <000701c672aa$cb8dc330$01010101@avalon.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <000001c672a7$eedf8a10$01010101@avalon.lan> Thread-Index: AcZymRtJk8AoI3L1QEKXKZ7GbglsJwADcQDAAADukeA= X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Cc: Subject: RE: Jails and loopback interfaces [SOLVED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nospam@mgedv.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 14:22:17 -0000 > although the dns-server is bound to the specific ip-address, which > again is bound to a separate interface, i do not see just one packet > with tcpdump on this interface. even the loopback interface lo0 does > not show anything. > > instead, the packets are generated from my lan-interface myk0, which > has a route to the forwarder. > > why are the packets generated on an interface, that the server is not > bound to and there is no redirect for? classical PEBKAC problem ;_) --- sorry! i just re-started the daemon and the packet's are seen on the lo5 interface... From owner-freebsd-security@FreeBSD.ORG Tue May 9 07:08:12 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1ECB516A400 for ; Tue, 9 May 2006 07:08:12 +0000 (UTC) (envelope-from johnryan_852@hotmail.com) Received: from hotmail.com (bay22-f24.bay22.hotmail.com [64.4.16.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id D255E43D49 for ; Tue, 9 May 2006 07:08:11 +0000 (GMT) (envelope-from johnryan_852@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 9 May 2006 00:08:11 -0700 Message-ID: Received: from 80.15.249.165 by by22fd.bay22.hotmail.msn.com with HTTP; Tue, 09 May 2006 07:08:07 GMT X-Originating-IP: [157.161.173.24] X-Originating-Email: [johnryan_852@hotmail.com] X-Sender: johnryan_852@hotmail.com From: "fred bloggs" To: freebsd-security@freebsd.org Date: Tue, 09 May 2006 07:08:07 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 09 May 2006 07:08:11.0356 (UTC) FILETIME=[550711C0:01C67337] Subject: IPsec with Racoon2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 07:08:12 -0000 Hi, I tried posting this to FreeBSD-questions and to freebsd-security (while not a member) and haven't had any replies. I'm trying to get IPsec running between 2 FreeBSD boxes, using racoon2. I was originnaly using vmware systems, but in order to eliminate vmware as a cause, I've moved it to a native machine. spmd and iked start up okay, but I get an error when I try a ping across the tunnel. /var/log/messages shows: May 5 13:52:36 biosa-vm4 iked: [INTERNAL_ERR]: if_spmd.c:726: SLID failed: 550 Operation failed May 5 13:52:36 biosa-vm4 iked: [INTERNAL_ERR]: isakmp.c:647:isakmp_initiate_cont(): 0:172.20.36.55[0] - 172.20.36.52[0]:0x0:can't find selector (index (null)) The startup shows: 2006-05-05 13:53:54 [INFO]: main.c:269:main(): starting iked for racoon2 20051102a 2006-05-05 13:53:54 [INFO]: main.c:272:main(): OPENSSLDIR: "/etc/ssl" 2006-05-05 13:53:54 [INFO]: main.c:282:main(): reading config /usr/local/etc/racoon2.conf 2006-05-05 13:53:54 [DEBUG]: ike_conf.c:3247:ike_conf_check_consistency(): checking configuration 2006-05-05 13:53:54 [DEBUG]: if_spmd.c:350: spmd I/F connection ok: 220 F8A......76C2B9 2006-05-05 13:53:54 [DEBUG]: cfsetup.c:3306: spmd_read_password_file([/usr/local/etc/racoon2/spmd.pwd], [cfsetup.c:3376], 1) 2006-05-05 13:53:54 [DEBUG]: cfsetup.c:3351: read 16 bytes 20 06-05-05 13:53:54 [DEBUG]: if_spmd.c:413: spmd LOGIN ok: 250 OK 2006-05-05 13:53:54 [INFO]: isakmp.c:339:isakmp_open(): socket 5 bind 172.20.36.55[500] uname -a shows: Running FreeBSD-STABLE via cvsup FreeBSD zengyu.nowhere.com 6.1-RC FreeBSD 6.1-RC #0: Fri Apr 28 12:36:37 CEST 2006 Heres my network: The host has 2 network cards are functional. ifconfig_rl0="inet 172.20.36.55 netmask 0xfffff800" ifconfig_xl0="inet 192.168.4.1 netmask 0xffffff00" # _______________________ _______________________ # / Ext IP A.B.C.D \ tunnel / Ext IP W.X.Y.Z \ # ---| Int IP 192.168.1.1/24 |===============| Int IP 192.168.4.1/24 |--- # \_______________________/ \_______________________/ # For host "A.B.C.D" # gif_interfaces="gif0" # gifconfig_gif0="A.B.C.D W.X.Y.Z" # ifconfig_gif0="inet 192.168.1.1 192.168.4.1 netmask 0xffffffff" # static_routes="vpn" # route_vpn="-net 192.168.4.0/24 192.168.4.1" gif_interfaces="gif0" gifconfig_gif0="172.20.36.55 172.20.36.52" ifconfig_gif0="inet 192.168.4.1 192.168.1.1 netmask 0xffffffff" static_routes="vpn" route_vpn="-net 192.168.1.0/24 192.168.1.1" Without IPsec running, I can ping the remote interfaces 192.168.[14].1 both ways My racoon2.conf looks like: setval { PSKDIR "/usr/local/etc/racoon2/psk"; CERTDIR "/usr/local/etc/racoon2/cert"; }; # interface info interface { ike { MY_IPV4%rl0; }; spmd { unix "/var/run/racoon/spmif"; }; spmd_password "/usr/local/etc/racoon2/spmd.pwd"; }; # resolver info resolver { resolver off; }; # # default section # default { remote { ikev2 { logmode normal; kmp_sa_lifetime_time infinite; kmp_sa_lifetime_byte infinite; max_retry_to_send 3; interval_to_send 10 sec; times_per_send 1; kmp_sa_nego_time_limit 60 sec; ipsec_sa_nego_time_limit 40 sec; kmp_enc_alg { aes256_cbc; 3des_cbc; }; kmp_hash_alg { hmac_sha1; hmac_md5; aes_xcbc; }; kmp_auth_method { dss; }; kmp_dh_group { 1; 2; 5; 14; 15; }; random_pad_content on; random_padlen on; max_padlen 50 bytes; }; }; policy { ipsec_mode tunnel; ipsec_level unique; # Not Yet Implemented, always 'unique' }; ipsec { ipsec_sa_lifetime_time infinite; ipsec_sa_lifetime_byte infinite; }; sa { esp_enc_alg { aes128_cbc; 3des_cbc; }; esp_auth_alg { hmac_sha1; hmac_md5; }; }; }; ipsec ipsec_ah_esp { ipsec_sa_lifetime_time 28800 sec; sa_index { ah_01; esp_01; }; }; ipsec ipsec_esp { ipsec_sa_lifetime_time 28800 sec; sa_index esp_01; }; sa ah_01 { sa_protocol ah; ah_auth_alg { hmac_sha1; hmac_md5; }; }; sa esp_01 { sa_protocol esp; esp_enc_alg { aes128_cbc; 3des_cbc; }; esp_auth_alg { hmac_sha1; hmac_md5; }; }; # biosa-vm1.ch.genedata.com remote biosa-vm1.nowhere.com { acceptable_kmp { ikev2; }; ikev2 { my_id fqdn "biosa-vm4.nowhere.com"; peers_id fqdn "biosa-vm1.nowhere.com"; peers_ipaddr 172.20.36.52 port 500; kmp_enc_alg { aes256_cbc; aes192_cbc; 3des_cbc; }; kmp_prf_alg { hmac_md5; hmac_sha1; aes128_cbc; }; kmp_hash_alg { hmac_md5; hmac_sha1; aes_xcbc; }; kmp_dh_group { 5; }; kmp_auth_method { psk; }; pre_shared_key "${PSKDIR}/secret.psk"; }; selector_index 42; }; selector 41 { direction outbound; src 172.20.36.55; dst 172.20.36.52; upper_layer_protocol "tcp"; policy_index TUNNEL; }; selector 42 { direction inbound; dst 172.20.36.52; src 172.20.36.55; upper_layer_protocol "tcp"; policy_index TUNNEL; }; policy TUNNEL { action auto_ipsec; remote_index biosa-vm1.nowhere.com; ipsec_mode tunnel; ipsec_index { ipsec_esp; }; ipsec_level unique; peers_sa_ipaddr 172.20.36.52; my_sa_ipaddr 172.20.36.55; }; Anyone got any idea what I'm doing wrong? Thanks in advance John Ryan _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From owner-freebsd-security@FreeBSD.ORG Tue May 9 07:56:19 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7869E16A41F for ; Tue, 9 May 2006 07:56:19 +0000 (UTC) (envelope-from mikhailg@webanoide.org) Received: from cayster.multisite.site5.com (cayster.multisite.site5.com [216.118.97.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DF5643D45 for ; Tue, 9 May 2006 07:56:19 +0000 (GMT) (envelope-from mikhailg@webanoide.org) Received: from ppp105-174.lns1.hba1.internode.on.net ([150.101.105.174]) by cayster.multisite.site5.com with esmtpa (Exim 4.52) id 1FdN4q-0002K7-CR; Tue, 09 May 2006 03:56:16 -0400 Message-ID: <44604B1E.2070802@webanoide.org> Date: Tue, 09 May 2006 17:56:14 +1000 From: Mikhail Goriachev Organization: Webanoide User-Agent: Thunderbird 1.5.0.2 (Macintosh/20060308) MIME-Version: 1.0 To: fred bloggs References: In-Reply-To: X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Antivirus-Scanner: This message has been scanned by ClamAV. X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - cayster.multisite.site5.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - webanoide.org X-Source: X-Source-Args: X-Source-Dir: Cc: freebsd-security@freebsd.org Subject: Re: IPsec with Racoon2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 07:56:20 -0000 fred bloggs wrote: > Hi, > > I tried posting this to FreeBSD-questions and to freebsd-security (while > not a member) and haven't had any replies. > > I'm trying to get IPsec running between 2 FreeBSD boxes, using racoon2. > I was originnaly using vmware systems, but in order to eliminate vmware > as a cause, I've moved it to a native machine. > > [...] > > Anyone got any idea what I'm doing wrong? > > Thanks in advance > John Ryan > Hi, You might wanna consider /usr/ports/security/ipsec-tools instead. The following is an excellent doco on the matter: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html I got it cranking on production and it works like a charm. Cheers, Mikhail. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: mikhailg@webanoide.org Web: http://www.webanoide.org PGP Key ID: 0x4E148A3B PGP Key Fingerprint: D96B 7C14 79A5 8824 B99D 9562 F50E 2F5D 4E14 8A3B From owner-freebsd-security@FreeBSD.ORG Tue May 9 09:51:54 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FC9F16A401 for ; Tue, 9 May 2006 09:51:54 +0000 (UTC) (envelope-from johnryan_852@hotmail.com) Received: from hotmail.com (bay22-f16.bay22.hotmail.com [64.4.16.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B39D43D45 for ; Tue, 9 May 2006 09:51:54 +0000 (GMT) (envelope-from johnryan_852@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 9 May 2006 02:51:53 -0700 Message-ID: Received: from 64.124.83.17 by by22fd.bay22.hotmail.msn.com with HTTP; Tue, 09 May 2006 09:51:50 GMT X-Originating-IP: [157.161.173.24] X-Originating-Email: [johnryan_852@hotmail.com] X-Sender: johnryan_852@hotmail.com In-Reply-To: <44604B1E.2070802@webanoide.org> From: "fred bloggs" To: mikhailg@webanoide.org Date: Tue, 09 May 2006 09:51:50 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 09 May 2006 09:51:53.0976 (UTC) FILETIME=[33C3EF80:01C6734E] Cc: freebsd-security@freebsd.org Subject: Re: IPsec with Racoon2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 09:51:54 -0000 Thanks Mikhail, I've now got it running with ipsec-tools. I just thought racoon2 would be better because it uses IKEv2 Cheers John >From: Mikhail Goriachev >To: fred bloggs >You might wanna consider /usr/ports/security/ipsec-tools instead. The >following is an excellent doco on the matter: > >http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html > >I got it cranking on production and it works like a charm. > >Cheers, >Mikhail. > > >-- >Mikhail Goriachev >Webanoide > >Telephone: +61 (0)3 62252501 >Mobile Phone: +61 (0)4 38255158 >E-Mail: mikhailg@webanoide.org >Web: http://www.webanoide.org > >PGP Key ID: 0x4E148A3B >PGP Key Fingerprint: D96B 7C14 79A5 8824 B99D 9562 F50E 2F5D 4E14 8A3B _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From owner-freebsd-security@FreeBSD.ORG Tue May 9 16:22:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7765C16A473; Tue, 9 May 2006 16:22:07 +0000 (UTC) (envelope-from borjamar@sarenet.es) Received: from smtp1.sarenet.es (smtp1.sarenet.es [194.30.0.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00B1843D48; Tue, 9 May 2006 16:22:06 +0000 (GMT) (envelope-from borjamar@sarenet.es) Received: from [127.0.0.1] (borja.sarenet.es [192.148.167.77]) by smtp1.sarenet.es (Postfix) with ESMTP id 7241019B; Tue, 9 May 2006 18:22:05 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v749.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Borja Marcos Date: Tue, 9 May 2006 18:22:05 +0200 To: doc@freebsd.org X-Mailer: Apple Mail (2.749.3) Cc: freebsd-security@freebsd.org Subject: Errors in the FreeBSD handbook (MAC framework) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 16:22:07 -0000 (crossposted to freebsd-security just in case someone has to slap me) :) Hello, I'm doing some work with the MAC subsystem in FreeBSD, and I have spotted some errors in the MAC documentation in the handbook. 1- Section 15.14.4. Error in the example dropping users "nagios" and "www" into the insecure class. The example uses the command "pw usermod nagios -L default" when it should obviously be "pw usermod nagios -L insecure". The same holds for the "www" user. 2- Section 15.14.6. The example script launches the commands "apachectl", and "/usr/local/ etc/rc.d/nagios.sh" with the label biba/10, but they should be launched with the label biba/10(10-10). I've defined the "default" login class with a label of "biba/high". I login at the machine as root, and... ----- # getpmac biba/high(low-high) # setpmac biba/low getpmac biba/low(low-high) # setpmac biba/low setpmac biba/high getpmac biba/high(low-high) So, if I launch a process with a "setpmac biba/low", it actually inherits a label of "biba/low(high-low)", being able to recover its biba/high setting, something that wouldn't be desirable. However, launching it with a label of "biba/low(low-low)" effectively downgrades the process forever # setpmac "biba/low(low-low)" getpmac biba/low(low-low) # setpmac "biba/low(low-low)" setpmac biba/high getpmac biba/high: Operation not permitted Best regards, Borja. From owner-freebsd-security@FreeBSD.ORG Tue May 9 22:03:48 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C404816A40B; Tue, 9 May 2006 22:03:48 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from pittgoth.com (ns1.pittgoth.com [216.38.206.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBECA43D55; Tue, 9 May 2006 22:03:44 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from localhost (ip70-177-190-239.dc.dc.cox.net [70.177.190.239]) (authenticated bits=0) by pittgoth.com (8.13.4/8.13.4) with ESMTP id k49N6IlK068227 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 9 May 2006 19:06:19 -0400 (EDT) (envelope-from trhodes@FreeBSD.org) Date: Tue, 9 May 2006 18:03:42 -0400 From: Tom Rhodes To: Borja Marcos Message-Id: <20060509180342.5136da89.trhodes@FreeBSD.org> In-Reply-To: References: X-Mailer: Sylpheed version 1.0.5 (GTK+ 1.2.10; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 09 May 2006 23:41:13 +0000 Cc: freebsd-security@FreeBSD.org, doc@FreeBSD.org Subject: Re: Errors in the FreeBSD handbook (MAC framework) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 22:03:50 -0000 On Tue, 9 May 2006 18:22:05 +0200 Borja Marcos wrote: > (crossposted to freebsd-security just in case someone has to slap me) :) > > > Hello, > > I'm doing some work with the MAC subsystem in FreeBSD, and I have > spotted some errors in the MAC documentation in the handbook. > > 1- Section 15.14.4. Error in the example dropping users "nagios" and > "www" into the insecure class. The example uses the command "pw > usermod nagios -L default" when it should obviously be "pw usermod > nagios -L insecure". The same holds for the "www" user. > > 2- Section 15.14.6. > > The example script launches the commands "apachectl", and "/usr/local/ > etc/rc.d/nagios.sh" with the label biba/10, but they should be > launched with the label biba/10(10-10). > > I've defined the "default" login class with a label of "biba/high". I > login at the machine as root, and... > > ----- > # getpmac > biba/high(low-high) > # setpmac biba/low getpmac > biba/low(low-high) > # setpmac biba/low setpmac biba/high getpmac > biba/high(low-high) > > > So, if I launch a process with a "setpmac biba/low", it actually > inherits a label of "biba/low(high-low)", being able to recover its > biba/high setting, something that wouldn't be desirable. However, > launching it with a label of "biba/low(low-low)" effectively > downgrades the process forever > > # setpmac "biba/low(low-low)" getpmac > biba/low(low-low) > # setpmac "biba/low(low-low)" setpmac biba/high getpmac > biba/high: Operation not permitted Yea, I'm still in the process of doing updates to this chapter, sorry for the current issues. :( -- Tom Rhodes From owner-freebsd-security@FreeBSD.ORG Wed May 10 09:11:59 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8DD016A401 for ; Wed, 10 May 2006 09:11:59 +0000 (UTC) (envelope-from pietro.cerutti@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 742BA43D46 for ; Wed, 10 May 2006 09:11:59 +0000 (GMT) (envelope-from pietro.cerutti@gmail.com) Received: by py-out-1112.google.com with SMTP id m51so661645pye for ; Wed, 10 May 2006 02:11:58 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=KEOApwdELv5WJMtwVKQDmLsHCnXG6x7OtBGM2H9wVf+e1CT1UI6XHIZLiWe6FGYD7QxPkawBXZk8LI2aky69Y9XWflWKtcXhzz17dXWMyrbLH6jRBnvicA6U6ClPK2IWH+/J5WmnjGNxZR2ltc+keODkM0u7sqypK/+hO6U02MY= Received: by 10.35.9.2 with SMTP id m2mr2246033pyi; Wed, 10 May 2006 02:11:58 -0700 (PDT) Received: by 10.35.22.10 with HTTP; Wed, 10 May 2006 02:11:58 -0700 (PDT) Message-ID: Date: Wed, 10 May 2006 11:11:58 +0200 From: "Pietro Cerutti" To: "freebsd security" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Freebsd-update and 6.1-RELEASE X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 09:11:59 -0000 Hi guys, Does anybody know if freebsd-update is going to be available for 6.1-RELEASE before the end of Colin's "summer of FreeBSD work"? I wouldn't like to bother Colin directly via e-mail, so if anyone already asked for this or something.... Thanx, regards -- Pietro Cerutti From owner-freebsd-security@FreeBSD.ORG Wed May 10 14:57:41 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B525B16A4FB; Wed, 10 May 2006 14:57:41 +0000 (UTC) (envelope-from BORJAMAR@SARENET.ES) Received: from smtp1.sarenet.es (smtp1.sarenet.es [194.30.0.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50D4C43D46; Wed, 10 May 2006 14:57:41 +0000 (GMT) (envelope-from BORJAMAR@SARENET.ES) Received: from [127.0.0.1] (borja.sarenet.es [192.148.167.77]) by smtp1.sarenet.es (Postfix) with ESMTP id 15EA53C1; Wed, 10 May 2006 16:57:39 +0200 (CEST) In-Reply-To: <20060504172309.D17611@fledge.watson.org> References: <20060504172309.D17611@fledge.watson.org> Mime-Version: 1.0 (Apple Message framework v749.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Borja Marcos Date: Wed, 10 May 2006 16:57:42 +0200 To: Robert Watson X-Mailer: Apple Mail (2.749.3) Cc: freebsd-security@freebsd.org Subject: Re: MAC policies and shared hosting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 14:57:41 -0000 On 4 May 2006, at 18:28, Robert Watson wrote: > > On Wed, 3 May 2006, Borja Marcos wrote: > >> I've been looking at the different MAC modules available and how >> they cold help to implement a less insecure than usual shared >> hosting web server. > > I think this sounds interesting :-). Well, after reading the documentation and some source code, I think that a relatively simple approach is possible. In fact, I'm thinking about writing an article describing the setup. Each hosted website will have one or two users: ftpwebhost: FTP update of the webpages ("webhost" being the customer name) cgiwebhost: CGI/PHP for the webite. In this way, customers can restrict possible modifications done to their web pages by an abused CGI. I guess most customers will want only one user, but at least we can offer them the choice. Both users would share a group, so that clueful users can grant permissions to the cgiwebhost user. I was thinking about mls and compartments, but it cannot be done without some cooperation from Apache, and ugidfw/ mac_bsdextended will be more than enough. BTW, why there are only 256 compartments? The ftpwebhost and cgiwebhost user ids' will be members of an interval, imagine [10000,20000], and a ugidfw policy will ensure that they cannot access or even stat files owned by each others: ugidfw subject uid 10000:20000 object uid 10000:20000 ! uid_of_subject mode n I think I will use mac_biba to protect the system integrity. With the system labelled as biba/high and launchung Apache with a biba/low(low- low) label we could certainly limit the impact of a root escalation. Most system services would run being biba/high, with some notable exceptions: - Some log rotation scripts, which should be biba/equal - Backup, which, of course, should be able to access the whole system. It will also use mac_seeotheruids. And it would be great to have an enhancement to mac_portacl. Limiting the usage of the listen() system call. There is great stuff in the MAC framework, indeed, and the possibilities are endless. Best of that, security decisions go back to the place they should have never abandoned: the operating system :) I've just ordered the new O'Reilly book about FreeBSD and OpenBSD security, but it seems that it doesn't mention the MAC framework at all :( Best regards, Borja. From owner-freebsd-security@FreeBSD.ORG Wed May 10 20:05:14 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D81AD16A8F6 for ; Wed, 10 May 2006 20:05:14 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5154143D49 for ; Wed, 10 May 2006 20:05:13 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.18]) by mx.nitro.dk (Postfix) with ESMTP id 8BA132D48BE; Wed, 10 May 2006 20:05:13 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 4C67A11420; Wed, 10 May 2006 16:05:12 -0400 (EDT) Date: Wed, 10 May 2006 22:05:12 +0200 From: "Simon L. Nielsen" To: Pietro Cerutti Message-ID: <20060510200511.GB2158@zaphod.nitro.dk> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="neYutvxvOLaeuPCA" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.11 Cc: freebsd security Subject: Re: Freebsd-update and 6.1-RELEASE X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 20:05:18 -0000 --neYutvxvOLaeuPCA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2006.05.10 11:11:58 +0200, Pietro Cerutti wrote: > Hi guys, >=20 > Does anybody know if freebsd-update is going to be available for > 6.1-RELEASE before the end of Colin's "summer of FreeBSD work"? If you mean so you can update a 6.1 i386 system with freebsd-update then yes. There haven't been any updates yet so you are not missing anything. Colin said today that he need to start building 6.1 so freebsd-update does not complain, but he just hasn't gotten to it yet. --=20 Simon L. Nielsen --neYutvxvOLaeuPCA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEYkd3h9pcDSc1mlERAuZ0AKCM4UwO7c33vcqwSWAL2OCaSw3a8ACgy8Ng UubrcbfdFwJhRLXuF09tHek= =c6MX -----END PGP SIGNATURE----- --neYutvxvOLaeuPCA-- From owner-freebsd-security@FreeBSD.ORG Wed May 10 20:10:20 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41BA516A4F9 for ; Wed, 10 May 2006 20:10:20 +0000 (UTC) (envelope-from pietro.cerutti@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB58B43D77 for ; Wed, 10 May 2006 20:10:06 +0000 (GMT) (envelope-from pietro.cerutti@gmail.com) Received: by py-out-1112.google.com with SMTP id m51so19911pye for ; Wed, 10 May 2006 13:10:06 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=tYJuXKKO23QiTnN4cBFRchTZy0yoTJ69CuuPObgc4deaJr7M7x6YLBjd7nxXpfzHgaO4VAIe6wtEtFaeWv+4BFGC1yOuBd5QQauk1vyuB4ufQY4f/wBVDeag1EYzmAa9YiGPtN+wtrCgIlA/cJSuF/CeTYzX/Sm2f1AUUPBJe4c= Received: by 10.35.49.4 with SMTP id b4mr5700pyk; Wed, 10 May 2006 13:10:06 -0700 (PDT) Received: by 10.35.22.10 with HTTP; Wed, 10 May 2006 13:10:06 -0700 (PDT) Message-ID: Date: Wed, 10 May 2006 22:10:06 +0200 From: "Pietro Cerutti" To: "Simon L. Nielsen" , "freebsd security" In-Reply-To: <20060510200511.GB2158@zaphod.nitro.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060510200511.GB2158@zaphod.nitro.dk> Cc: Subject: Re: Freebsd-update and 6.1-RELEASE X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 20:10:26 -0000 On 5/10/06, Simon L. Nielsen wrote: > On 2006.05.10 11:11:58 +0200, Pietro Cerutti wrote: > > Hi guys, > > > > Does anybody know if freebsd-update is going to be available for > > 6.1-RELEASE before the end of Colin's "summer of FreeBSD work"? > > If you mean so you can update a 6.1 i386 system with freebsd-update > then yes. Yes, this is what i meant. > > There haven't been any updates yet so you are not missing anything. Just to know, you know... > > Colin said today that he need to start building 6.1 so freebsd-update > does not complain, but he just hasn't gotten to it yet. Ah, so that's the reason for this behaviour: # freebsd-update fetch Fetching updates signature... fetch: http://update.daemonology.net/i386/6.1/updates.sig: Not Found Error fetching updates # Thank you Simon, I'll wait for this... > -- > Simon L. Nielsen -- Pietro Cerutti From owner-freebsd-security@FreeBSD.ORG Thu May 11 11:33:31 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F47C16A419 for ; Thu, 11 May 2006 11:33:31 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd4mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3CEB43D72 for ; Thu, 11 May 2006 11:33:27 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd2mr5so.prod.shaw.ca (pd2mr5so-qfe3.prod.shaw.ca [10.0.141.8]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IZ300CZ9MRRX960@l-daemon> for freebsd-security@freebsd.org; Thu, 11 May 2006 05:33:27 -0600 (MDT) Received: from pn2ml8so.prod.shaw.ca ([10.0.121.152]) by pd2mr5so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IZ300B8TMRRXNC0@pd2mr5so.prod.shaw.ca> for freebsd-security@freebsd.org; Thu, 11 May 2006 05:33:27 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0IZ3002WTMRPVQK0@l-daemon> for freebsd-security@freebsd.org; Thu, 11 May 2006 05:33:27 -0600 (MDT) Received: (qmail 5020 invoked from network); Thu, 11 May 2006 11:28:09 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Thu, 11 May 2006 11:28:09 +0000 Date: Thu, 11 May 2006 07:28:09 -0400 From: FreeBSD Security Officer To: freebsd security Message-id: <44631FC9.7060805@freebsd.org> Organization: FreeBSD Project MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 User-Agent: Thunderbird 1.5 (X11/20060416) Subject: HEADS UP: FreeBSD 4.10 EoL X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 May 2006 11:33:32 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, On June 1st, 21 days from now, FreeBSD 4.10 will have reached its two year End of Life and will no longer be supported by the FreeBSD Security Team. While some security fixes may be merged to the RELENG_4_10 security branch after the EoL date, the Security Team will only investigate new issues if they affect supported branches; consequently, the FreeBSD Security Team strongly recommends upgrading existing systems running FreeBSD 4.10 to a newer release. FreeBSD 5.4 had been planned to expire at the same time, but in light of delays in the FreeBSD 5.5 release schedule, the FreeBSD 5.4 EoL has been extended to October 2006, in order to allow time for users to upgrade to FreeBSD 5.5. Again, we strongly recommend upgrading all FreeBSD 5.3 and 5.4 systems to FreeBSD 5.5 (once it is released, later this month) or FreeBSD 6.1 (now). The current supported branches and expected EoL dates are: +--------------------------------------------------------------------+ | Branch | Release | Type | Release date | Estimated EoL | |-----------+------------+--------+----------------+-----------------| |RELENG_4 |n/a |n/a |n/a |January 31, 2007 | |-----------+------------+--------+----------------+-----------------| |RELENG_4_10|4.10-RELEASE|Extended|May 27, 2004 |May 31, 2006 | |-----------+------------+--------+----------------+-----------------| |RELENG_4_11|4.11-RELEASE|Extended|January 25, 2005|January 31, 2007 | |-----------+------------+--------+----------------+-----------------| |RELENG_5 |n/a |n/a |n/a |May 31, 2008 | |-----------+------------+--------+----------------+-----------------| |RELENG_5_3 |5.3-RELEASE |Extended|November 6, 2004|October 31, 2006 | |-----------+------------+--------+----------------+-----------------| |RELENG_5_4 |5.4-RELEASE |Normal |May 9, 2005 |October 31, 2006 | |-----------+------------+--------+----------------+-----------------| |RELENG_6 |n/a |n/a |n/a |May 2008 or later| |-----------+------------+--------+----------------+-----------------| |RELENG_6_0 |6.0-RELEASE |Normal |November 4, 2005|November 30, 2006| |-----------+------------+--------+----------------+-----------------| |RELENG_6_1 |6.1-RELEASE |Extended|May 9, 2006 |May 31, 2008 | +--------------------------------------------------------------------+ Once it is released, FreeBSD 5.5 will be supported until May 31, 2008. Colin Percival FreeBSD Security Officer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEYx/IFdaIBMps37IRAqCsAJ9ZEZ5Wt21Rm/QiBJw8rTog6cQL2QCbB4p5 3BF7GjLQhelz0DxH3irEA0M= =y/6b -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu May 11 11:33:35 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F266B16A427 for ; Thu, 11 May 2006 11:33:35 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd4mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D89B43D77 for ; Thu, 11 May 2006 11:33:28 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd2mr4so.prod.shaw.ca (pd2mr4so-qfe3.prod.shaw.ca [10.0.141.107]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IZ300A3BMRR3JF0@l-daemon> for freebsd-security@freebsd.org; Thu, 11 May 2006 05:33:28 -0600 (MDT) Received: from pn2ml8so.prod.shaw.ca ([10.0.121.152]) by pd2mr4so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IZ300FO2MRR2NP0@pd2mr4so.prod.shaw.ca> for freebsd-security@freebsd.org; Thu, 11 May 2006 05:33:27 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0IZ3000OOMRQWSJ0@l-daemon> for freebsd-security@freebsd.org; Thu, 11 May 2006 05:33:27 -0600 (MDT) Received: (qmail 941 invoked from network); Wed, 10 May 2006 13:35:11 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Wed, 10 May 2006 13:35:11 +0000 Date: Wed, 10 May 2006 09:35:11 -0400 From: Colin Percival In-reply-to: To: Pietro Cerutti Message-id: <4461EC0F.2070809@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: User-Agent: Thunderbird 1.5 (X11/20060416) Cc: freebsd security Subject: Re: Freebsd-update and 6.1-RELEASE X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 May 2006 11:33:36 -0000 Pietro Cerutti wrote: > Does anybody know if freebsd-update is going to be available for > 6.1-RELEASE before the end of Colin's "summer of FreeBSD work"? FreeBSD Update will work on FreeBSD 6.1 before the first security advisory affecting 6.1 is released. The only reason it doesn't already work is that I was getting ready for my flight to BSDCan when the release happened. Colin Percival From owner-freebsd-security@FreeBSD.ORG Thu May 11 11:46:33 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 178C716A477 for ; Thu, 11 May 2006 11:46:33 +0000 (UTC) (envelope-from pietro.cerutti@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id B99B043D6D for ; Thu, 11 May 2006 11:46:28 +0000 (GMT) (envelope-from pietro.cerutti@gmail.com) Received: by py-out-1112.google.com with SMTP id m51so201241pye for ; Thu, 11 May 2006 04:46:27 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sUHzoJq+6Tzw8nASxQdtCGgRe4ACBONX+KwgrwIQkdQ4FV5LX6NnhVJlKbpVdR2OJvV+8E9REUmHDSg97SPk4lcWcXsU7kAqDRI1bNAHE0pn4ZrnVwitA4XFVlbaTgE8Jfu8IzWOo05Mp16YAD15KY7aLTaOZKT8A9Se90xb43U= Received: by 10.35.40.10 with SMTP id s10mr946330pyj; Thu, 11 May 2006 04:46:27 -0700 (PDT) Received: by 10.35.22.10 with HTTP; Thu, 11 May 2006 04:46:27 -0700 (PDT) Message-ID: Date: Thu, 11 May 2006 13:46:27 +0200 From: "Pietro Cerutti" To: "Colin Percival" , "freebsd security" In-Reply-To: <4461EC0F.2070809@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4461EC0F.2070809@freebsd.org> Cc: Subject: Re: Freebsd-update and 6.1-RELEASE X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 May 2006 11:46:33 -0000 On 5/10/06, Colin Percival wrote: > Pietro Cerutti wrote: > > Does anybody know if freebsd-update is going to be available for > > 6.1-RELEASE before the end of Colin's "summer of FreeBSD work"? > > FreeBSD Update will work on FreeBSD 6.1 before the first security > advisory affecting 6.1 is released. Yeah, quite reassuring! >The only reason it doesn't > already work is that I was getting ready for my flight to BSDCan > when the release happened. I know you're kind of a busy person, which makes your work being even more appreciated! Thank you very much! > > Colin Percival > --=20 Pietro Cerutti From owner-freebsd-security@FreeBSD.ORG Thu May 11 19:09:10 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4144116A9DB for ; Thu, 11 May 2006 19:09:10 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from wx-out-0102.google.com (wx-out-0102.google.com [66.249.82.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 916DB43D53 for ; Thu, 11 May 2006 19:09:09 +0000 (GMT) (envelope-from artifact.one@googlemail.com) Received: by wx-out-0102.google.com with SMTP id s19so197655wxc for ; Thu, 11 May 2006 12:09:08 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=O2FSHo1kD3R8loETGf2Xmu5G6sLByzPj5VU6T3yTGmJ1wC8UtfkRaT6b0Nv9dUd/rkDr6+hKKCob5eYCWnMRmFD6bED76tcqDCVkGDFYNbeliaBDJ6ZYO8W3DqGjG9BpoTu3gpcLo5to6NdBIZJaJkCAe4xTXIB2M6LlXp1UIf8= Received: by 10.70.35.10 with SMTP id i10mr1561451wxi; Thu, 11 May 2006 12:09:08 -0700 (PDT) Received: by 10.70.23.1 with HTTP; Thu, 11 May 2006 12:09:08 -0700 (PDT) Message-ID: <8e96a0b90605111209l7620bff8u7261d20ac708879f@mail.gmail.com> Date: Thu, 11 May 2006 20:09:08 +0100 From: "mal content" To: "Borja Marcos" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060504172309.D17611@fledge.watson.org> X-Mailman-Approved-At: Thu, 11 May 2006 19:19:52 +0000 Cc: freebsd-security@freebsd.org Subject: Re: MAC policies and shared hosting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 May 2006 19:09:12 -0000 On 5/10/06, Borja Marcos wrote: > There is great stuff in the MAC framework, indeed, and the > possibilities are endless. Best of that, security decisions go back > to the place they should have never abandoned: the operating system :) > > I've just ordered the new O'Reilly book about FreeBSD and OpenBSD > security, but it seems that it doesn't mention the MAC framework at > all :( Unfortunately the MAC framework just doesn't seem to get as much attention as I'd like. I think the problem was that the TrustedBSD project seemed very 'closed' in that the site was quite rarely updated and it was difficult to get news on developments. It seemed, for a long time, that nobody was interested in it. It'd be nice to see a ton of tutorials, papers and documentation for it. I personally would write quite a bit on it if I could get started but unfortunately my 'expertise' begins and ends at the web server example in the handbook. I think also the MAC framework is perceived as being too difficult to use and too detached from FreeBSD itself. Hopefully the latter will improve when BSM is integrated with the system and the former is entirely subjective anyway. There's quite a large gap in ports for some software that puts a friendly face on some of the MAC policies such as biba, MLS, etc. Hmm. Brain spilled out onto the keyboard a bit then. I'll put it back in it's cage for now. a1 From owner-freebsd-security@FreeBSD.ORG Fri May 12 00:23:54 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E559C16A40F for ; Fri, 12 May 2006 00:23:54 +0000 (UTC) (envelope-from BORJAMAR@sarenet.es) Received: from smtp1.sarenet.es (smtp1.sarenet.es [194.30.0.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9E8143EBB for ; Thu, 11 May 2006 23:56:17 +0000 (GMT) (envelope-from BORJAMAR@sarenet.es) Received: from [127.0.0.1] (matahari.sarenet.es [192.148.167.18]) by smtp1.sarenet.es (Postfix) with ESMTP id BE51EFB; Fri, 12 May 2006 01:56:15 +0200 (CEST) In-Reply-To: <8e96a0b90605111209l7620bff8u7261d20ac708879f@mail.gmail.com> References: <20060504172309.D17611@fledge.watson.org> <8e96a0b90605111209l7620bff8u7261d20ac708879f@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v749.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Borja Marcos Date: Fri, 12 May 2006 01:56:15 +0200 To: mal content X-Mailer: Apple Mail (2.749.3) Cc: freebsd-security@freebsd.org Subject: Re: MAC policies and shared hosting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 00:23:55 -0000 > Unfortunately the MAC framework just doesn't seem to get > as much attention as I'd like. I think the problem was > that the TrustedBSD project seemed very 'closed' in that the > site was quite rarely updated and it was difficult to get news > on developments. It seemed, for a long time, that nobody was > interested in it. Well, I am loving it, really. > It'd be nice to see a ton of tutorials, papers and documentation > for it. I personally would write quite a bit on it if I could get > started > but unfortunately my 'expertise' begins and ends at the web server > example in the handbook. > > I think also the MAC framework is perceived as being too difficult > to use and too detached from FreeBSD itself. Hopefully the latter > will improve when BSM is integrated with the system and the > former is entirely subjective anyway. Well, as you increase security there is a tradeoff. But I'm trying to come up with a reasonable balance between security and convenience. Deploying it has important consequences on operations like, for example, a make world. You must be aware of it. I'm trying to do it in the Apple way: make it simple enough to be usable, but make it strong enough :) Borja. From owner-freebsd-security@FreeBSD.ORG Fri May 12 04:50:45 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 348F616A473; Fri, 12 May 2006 04:50:40 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd2mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2942343E16; Fri, 12 May 2006 04:18:42 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd2mr1so.prod.shaw.ca (pd2mr1so-qfe3.prod.shaw.ca [10.0.141.110]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IZ4003HWX7J8L10@l-daemon>; Thu, 11 May 2006 22:16:31 -0600 (MDT) Received: from pn2ml1so.prod.shaw.ca ([10.0.121.145]) by pd2mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IZ400IDEX7JK510@pd2mr1so.prod.shaw.ca>; Thu, 11 May 2006 22:16:31 -0600 (MDT) Received: from [127.0.0.1] ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IZ4003DPX7IV8H0@l-daemon>; Thu, 11 May 2006 22:16:31 -0600 (MDT) Date: Fri, 12 May 2006 00:16:19 -0400 From: Colin Percival In-reply-to: <4461EC0F.2070809@freebsd.org> To: Pietro Cerutti Message-id: <44640C13.2010409@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <4461EC0F.2070809@freebsd.org> User-Agent: Thunderbird 1.5 (X11/20060416) Cc: freebsd security , Colin Percival Subject: Re: Freebsd-update and 6.1-RELEASE X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 04:50:55 -0000 I wrote: > FreeBSD Update will work on FreeBSD 6.1 before the first security > advisory affecting 6.1 is released. I think I have everything in place for FreeBSD Update to run on FreeBSD 6.1. Please test and let me know if I forgot anything. Colin Percival