From owner-freebsd-security@FreeBSD.ORG Mon Oct 10 20:23:11 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D9C1D106566C for ; Mon, 10 Oct 2011 20:23:11 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from mailgate.jr-hosting.nl (mail.jr-hosting.nl [IPv6:2a01:4f8:141:5061::25]) by mx1.freebsd.org (Postfix) with ESMTP id 5F2C58FC08 for ; Mon, 10 Oct 2011 20:23:11 +0000 (UTC) Received: from axantucar.elvandar.org (178-85-116-244.dynamic.upc.nl [178.85.116.244]) by mailgate.jr-hosting.nl (Postfix) with ESMTPSA id B72A63F44F; Mon, 10 Oct 2011 22:23:09 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v1244.3) From: Remko Lodder In-Reply-To: <201110020411.p924BPqn037383@chilled.skew.org> Date: Mon, 10 Oct 2011 22:23:09 +0200 Message-Id: References: <201110020411.p924BPqn037383@chilled.skew.org> To: Mike Brown X-Mailer: Apple Mail (2.1244.3) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: Reasonable expectations of sysadmins (was Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2011 20:23:11 -0000 On Oct 2, 2011, at 6:11 AM, Mike Brown wrote: > Chris Rees wrote: >> Generally users are expected to pay attention to what is updated-- I >> know this isn't always the easiest task, but blindly following >> instructions is not something that is generally advocated in FreeBSD. >=20 > Generally, yes. For a security advisory, though, I don't think it's=20 > unreasonable for the reader to expect that the solutions and = workarounds are=20 > exactly as described, with nothing left out or assumed that every = system=20 > administrator will know. Likewise, the advisory issuer surely expects = that the=20 > instructions they provide *will* be very strictly followed. >=20 > Based on my own experience, I did happen to realize that a reboot = would=20 > probably be needed, but since one procedure in the advisory said to = reboot and=20 > the other didn't, it led me to wonder if maybe there was some magic in=20= > freebsd-update that obviated the need for a reboot. Apparently there's = not; it=20 > was just an oversight in the instructions. >=20 > Also, sometimes things go haywire after a reboot, especially after = extended=20 > uptime and updates to the kernel or core libraries, so I'm in the = habit of=20 > only shutting down when necessary. So if I don't see "and then reboot" = in an=20 > update procedure - and most of the time, security updates don't = require it -=20 > then I don't do it. >=20 Hi Mike, I do see the point you are mentioning and I will discuss this the next = time we (Security Team) are preparing an advisory. Thanks Remko --=20 /"\ With kind regards, | remko@elvandar.org \ / Remko Lodder | remko@FreeBSD.org X FreeBSD | = http://www.evilcoder.org / \ The Power to Serve | Quis custodiet ipsos custodes From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 07:52:46 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1E7561065674 for ; Tue, 11 Oct 2011 07:52:46 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id D69F48FC0A for ; Tue, 11 Oct 2011 07:52:45 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id E68121FFC33; Tue, 11 Oct 2011 07:52:44 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id D1805846B3; Tue, 11 Oct 2011 09:52:44 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Mike Brown References: <201110020411.p924BPqn037383@chilled.skew.org> Date: Tue, 11 Oct 2011 09:52:44 +0200 In-Reply-To: <201110020411.p924BPqn037383@chilled.skew.org> (Mike Brown's message of "Sat, 1 Oct 2011 22:11:25 -0600 (MDT)") Message-ID: <86d3e4j777.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Reasonable expectations of sysadmins X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2011 07:52:46 -0000 Mike Brown writes: > Also, sometimes things go haywire after a reboot, especially after extend= ed=20 > uptime and updates to the kernel or core libraries, so I'm in the habit o= f=20 > only shutting down when necessary. So if I don't see "and then reboot" in= an=20 > update procedure - and most of the time, security updates don't require i= t -=20 > then I don't do it. Actually, this is an argument in favor of rebooting regularly, or at least after every major change, so you know the server will boot unassisted if something happens (power outage, cleaning staff tripped over the mains cable, etc.) I once spent an entire evening coaxing a mission-critical database server back up after a simple disk replacement because a predecessor had performed an in-place system upgrade without verifying that the new configuration would boot cleanly. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 09:58:44 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF6A81065670 for ; Tue, 11 Oct 2011 09:58:44 +0000 (UTC) (envelope-from mdfranz@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 4950C8FC12 for ; Tue, 11 Oct 2011 09:58:43 +0000 (UTC) Received: by wwe3 with SMTP id 3so9699373wwe.31 for ; Tue, 11 Oct 2011 02:58:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=NeMgN1/PkiYaNcwKcK49VY8JtM2ebahyHlq+WyKJSyY=; b=HvF6xy0E/VXGZuJ6u3USgw9vTsWcDG1c8/bOfl9zNE5V/qbjRkdUc0LxKSrGhs4ND2 wNGhPOboUdbMwUQT7ecwbkhfCZgNLB+WtQ4HpF+QvIClUVqO/xVyXdE1aZnc/Id6kIH6 +euYTstlkqVg6I85IOGa+7E4aQG/BTze58ogM= MIME-Version: 1.0 Received: by 10.227.156.70 with SMTP id v6mr7473876wbw.27.1318325566209; Tue, 11 Oct 2011 02:32:46 -0700 (PDT) Received: by 10.180.103.5 with HTTP; Tue, 11 Oct 2011 02:32:46 -0700 (PDT) In-Reply-To: <86d3e4j777.fsf@ds4.des.no> References: <201110020411.p924BPqn037383@chilled.skew.org> <86d3e4j777.fsf@ds4.des.no> Date: Tue, 11 Oct 2011 05:32:46 -0400 Message-ID: From: Matthew Franz To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Mike Brown , freebsd-security@freebsd.org Subject: Re: Reasonable expectations of sysadmins X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2011 09:58:44 -0000 I've found this to be especially useful on PF+CARP pairs when making networking changes. Did the interfaces come up properly, did the routes, did the PF rules upon reboot? In some virtualized (non-BSD) environments some folks rebuild the image from scratch from packages and from a source of truce (puppet/chef repo) to be sure you can always have a clean build. - mdf 2011/10/11 Dag-Erling Sm=F8rgrav : > Mike Brown writes: >> Also, sometimes things go haywire after a reboot, especially after exten= ded >> uptime and updates to the kernel or core libraries, so I'm in the habit = of >> only shutting down when necessary. So if I don't see "and then reboot" i= n an >> update procedure - and most of the time, security updates don't require = it - >> then I don't do it. > > Actually, this is an argument in favor of rebooting regularly, or at > least after every major change, so you know the server will boot > unassisted if something happens (power outage, cleaning staff tripped > over the mains cable, etc.) =A0I once spent an entire evening coaxing a > mission-critical database server back up after a simple disk replacement > because a predecessor had performed an in-place system upgrade without > verifying that the new configuration would boot cleanly. > > DES > -- > Dag-Erling Sm=F8rgrav - des@des.no > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" > --=20 -- Matthew Franz mdfranz@gmail.com From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 23:05:18 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 517E1106566C for ; Tue, 11 Oct 2011 23:05:18 +0000 (UTC) (envelope-from gad@FreeBSD.org) Received: from smtp8.server.rpi.edu (smtp8.server.rpi.edu [128.113.2.228]) by mx1.freebsd.org (Postfix) with ESMTP id F2FF38FC16 for ; Tue, 11 Oct 2011 23:05:16 +0000 (UTC) Received: from gilead.netel.rpi.edu (gilead.netel.rpi.edu [128.113.124.121]) by smtp8.server.rpi.edu (8.13.1/8.13.1) with ESMTP id p9BLovVV025553; Tue, 11 Oct 2011 17:50:58 -0400 Message-ID: <4E94BA41.2020907@FreeBSD.org> Date: Tue, 11 Oct 2011 17:50:57 -0400 From: Garance A Drosehn User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100722 Eudora/3.0.4 MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= References: <201110020411.p924BPqn037383@chilled.skew.org> <86d3e4j777.fsf@ds4.des.no> In-Reply-To: <86d3e4j777.fsf@ds4.des.no> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Bayes-Prob: 0.0001 (Score 0) X-RPI-SA-Score: 1.50 (*) [Hold at 12.00] COMBINED_FROM,RATWARE_GECKO_BUILD X-CanItPRO-Stream: outgoing X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.228 Cc: Mike Brown , freebsd-security@FreeBSD.org Subject: Re: Reasonable expectations of sysadmins X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2011 23:05:18 -0000 On 10/11/11 3:52 AM, Dag-Erling Smørgrav wrote: > Mike Brown writes: > >> Also, sometimes things go haywire after a reboot, especially after extended >> uptime and updates to the kernel or core libraries, so I'm in the habit of >> only shutting down when necessary. So if I don't see "and then reboot" in an >> update procedure - and most of the time, security updates don't require it - >> then I don't do it. >> > Actually, this is an argument in favor of rebooting regularly, or at > least after every major change, so you know the server will boot > unassisted if something happens (power outage, cleaning staff tripped > over the mains cable, etc.) I once spent an entire evening coaxing a > mission-critical database server back up after a simple disk replacement > because a predecessor had performed an in-place system upgrade without > verifying that the new configuration would boot cleanly. > > DES > FWIW: If I have a production server which has been up and running for more than six months, I often reboot the machine *before* making some significant change, just to make sure the machine is still in working order before I make that change. I then make the change, and reboot again. There are times where I have discovered problems in that first reboot. (also note that in my case, most production servers which have been up for more than six months have probably been up for more than a year) -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 04:29:15 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1BA2106564A; Wed, 12 Oct 2011 04:29:15 +0000 (UTC) (envelope-from quakelee@geekcn.org) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 9867E8FC12; Wed, 12 Oct 2011 04:29:15 +0000 (UTC) Received: from quakelee-work (unknown [202.108.14.240]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 8220C187C8; Tue, 11 Oct 2011 21:29:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1318393755; bh=Tuv6Q8VvBSrWc9fCW7JD5ajS3ShHELc5Zj96BA0U8BQ=; h=Content-Type:In-Reply-To:References:Subject:To:MIME-Version: Content-Transfer-Encoding:From:Date:Message-ID; b=UWqNPjmM9FxBCD4sC04IhIFBhiiLnotQkfpmh3gG5qyg5oPzZtMF2YopuXMheIiSA 2HLYkIJJFaSdkQc3+QJNM5XL5JeSXExPavDpK/7ZDL1xfZMFBMI+7W3IBTNz6ctzBa DytHUkoJTEJmOuyLdIMF/VKQ3kB6II7+m0Q5/p4o= Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes In-Reply-To: <679126918.20110922121706@serebryakov.spb.ru> Organization: GeekCN References: <679126918.20110922121706@serebryakov.spb.ru> To: freebsd-security@freebsd.org, "Lev Serebryakov" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: "Chao Shin" Date: Wed, 12 Oct 2011 12:29:05 +0800 Message-ID: User-Agent: Opera Mail/11.51 (Win32) Cc: Subject: Re: pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2011 04:29:15 -0000 > Hello, Freebsd-security. > > I have chicken-adn-egg problem with wheel group and su utility when > all users but root are stored in LDAP. > > wheel group should be in /etc/group to allow basic system services > to start before LDAP is available. > > But when "wheel" is in /etc/group with only "root" member (as all > other members are in LDAP), system never takes "wheel" members from > LDAP (because /etc/group has priority) and "su" doesn't work! > > What is proper way to resolve this problem? > I don't have system to test this now, but you can try below config in your nsswitch.conf group: files [success=return notfound=continue] ldap passwd: files [success=return notfound=continue] ldap I didn't meet this problem in my last company's environment -- The Power to Serve From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 02:03:41 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99095106564A for ; Wed, 12 Oct 2011 02:03:41 +0000 (UTC) (envelope-from Lowell@Be-Well.Ilk.Org) Received: from asbnvacz-mailrelay01.megapath.net (asbnvacz-mailrelay01.megapath.net [207.145.128.243]) by mx1.freebsd.org (Postfix) with ESMTP id 691868FC12 for ; Wed, 12 Oct 2011 02:03:41 +0000 (UTC) Received: from mail5.sea5.speakeasy.net (mail5.sea5.speakeasy.net [69.17.117.49]) by asbnvacz-mailrelay01.megapath.net (Postfix) with ESMTP id 7A5ECA70253 for ; Tue, 11 Oct 2011 21:43:24 -0400 (EDT) Received: (qmail 15220 invoked from network); 12 Oct 2011 01:43:23 -0000 Received: by simscan 1.4.0 ppid: 8235, pid: 12719, t: 0.1677s scanners: clamav: 0.88.2/m:52/d:10739 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail5.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 12 Oct 2011 01:43:23 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id CBE502E0DA; Tue, 11 Oct 2011 21:43:22 -0400 (EDT) From: Lowell Gilbert To: Garance A Drosehn References: <201110020411.p924BPqn037383@chilled.skew.org> <86d3e4j777.fsf@ds4.des.no> <4E94BA41.2020907@FreeBSD.org> Date: Tue, 11 Oct 2011 21:43:22 -0400 In-Reply-To: <4E94BA41.2020907@FreeBSD.org> (Garance A. Drosehn's message of "Tue, 11 Oct 2011 17:50:57 -0400") Message-ID: <44d3e30yth.fsf@be-well.ilk.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Wed, 12 Oct 2011 15:53:51 +0000 Cc: freebsd-security@FreeBSD.org Subject: Re: Reasonable expectations of sysadmins X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2011 02:03:41 -0000 Garance A Drosehn writes: > FWIW: If I have a production server which has been up and running for > more than six months, I often reboot the machine *before* making some > significant change, just to make sure the machine is still in working > order before I make that change. I then make the change, and reboot > again. There are times where I have discovered problems in that first > reboot. In theory, this should never be helpful. In theory, there's no difference between practice and theory. In practice, um... From owner-freebsd-security@FreeBSD.ORG Thu Oct 13 13:06:13 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1213D106568B; Thu, 13 Oct 2011 13:06:13 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id C886C8FC19; Thu, 13 Oct 2011 13:06:12 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id DE67D1FFC39; Thu, 13 Oct 2011 13:06:11 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id C2E04B93C; Thu, 13 Oct 2011 15:06:11 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Chao Shin" References: <679126918.20110922121706@serebryakov.spb.ru> Date: Thu, 13 Oct 2011 15:06:11 +0200 In-Reply-To: (Chao Shin's message of "Wed, 12 Oct 2011 12:29:05 +0800") Message-ID: <86vcrt9h30.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Lev Serebryakov Subject: Re: pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Oct 2011 13:06:13 -0000 "Chao Shin" writes: > "Lev Serebryakov" writes: > > But when "wheel" is in /etc/group with only "root" member (as all > > other members are in LDAP), system never takes "wheel" members from > > LDAP (because /etc/group has priority) and "su" doesn't work! > I don't have system to test this now, but you can try below config in your > nsswitch.conf > > group: files [success=3Dreturn notfound=3Dcontinue] ldap > passwd: files [success=3Dreturn notfound=3Dcontinue] ldap That won't make any difference, because "files" *will* succeed, since there is a wheel entry in /etc/group. (actually, I believe [success=3Dreturn notfound=3Dcontinue] is the default behavior) DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no