From owner-freebsd-security@FreeBSD.ORG Fri Jun 2 08:58:01 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EAA616A421 for ; Fri, 2 Jun 2006 08:58:01 +0000 (UTC) (envelope-from mkenyeres@konvergencia.hu) Received: from konvergencia.hu (konvergencia.hu [195.228.254.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FA5343D48 for ; Fri, 2 Jun 2006 08:58:00 +0000 (GMT) (envelope-from mkenyeres@konvergencia.hu) Received: from dsl540265a6.pool.t-online.hu ([84.2.101.166] helo=scalix.kvg.hu) by konvergencia.hu with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.52 (FreeBSD)) id 1Fm5Tu-0006Ll-HM; Fri, 02 Jun 2006 10:58:11 +0200 Received: from scalix.kvg.hu (localhost [127.0.0.1]) by scalix.kvg.hu (8.13.4/8.13.4/SuSE Linux 0.7) with ESMTP id k528voxE008249; Fri, 2 Jun 2006 10:57:53 +0200 Received: from scalix.kvg.hu (root@localhost) by scalix.kvg.hu (8.13.4/8.13.4/Submit) with ESMTP id k528voBE008245; Fri, 2 Jun 2006 10:57:50 +0200 Received: from dell1.kvg.hu (dell1.kvg.hu 10.0.0.98) by scalix.kvg.hu (Scalix SMTP Relay 10.0.1.3) via ESMTP; Fri, 02 Jun 2006 10:57:50 +0200 (CEST) Date: Fri, 2 Jun 2006 10:57:49 +0200 From: =?UTF-8?Q?Kenyeres_M=C3=A1rton?= To: Jeff Message-ID: <1149238669.657.6.camel@dell1.kvg.hu> In-Reply-To: <7.0.1.0.2.20060601142921.2284c5b0@wheresmymailserver.com> References: <7.0.1.0.2.20060601142921.2284c5b0@wheresmymailserver.com> x-scalix-Hops: 1 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by scalix.kvg.hu id k528voxE008249 X-Spam_score: 0.3 X-Spam_level: / Cc: freebsd-security@freebsd.org Subject: Re: mac_bsdextended log information X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jun 2006 08:58:02 -0000 On Thu, 2006-06-01 at 14:40 -0700, Jeff wrote: > Hey everyone,=20 >=20 > I'm hoping someone can point me in the right direction. I'm running a 6= .1 box with mac_bsdextended compiled. I've created my ugidfw rules, and a= ll seems well in the universe. >=20 > I've got rules set up so the web process uid 80 and gid 80 can only rea= d uid 1010 and gid 1010 owned files. When the web server tries to do some= thing else, it throws an error such as: >=20 > www kernel: mac_bsdextended: 80:80 request 256 on 0:0 = failed. >=20 > So the question is, what file did the www process try to muck with? It = is a root owned file, and it is important that it want to act on it. Secu= rity problem, or benign problem? Who knows without being able to know wha= t the file is. A look at the source code implies that the "request 256" m= eans that the web process tried to read the vnode numbered 256. Is that a= ccurate? > If it is, how do I go about associating vnode numbers to files, so I ha= ve a hope of troubleshooting these errors. >=20 There are many legitimate reasons for a webserver to open root owned files. Looking up users in the password database would be my first guess. Maybe you shoud consider changing your rules to some more fine grained ones? > Searching seems to turn up no tool or easy way to get this vnode -> fil= e information. Help! Try: $ find -inum 256 / >=20 > Jeff >=20 Cheers, m. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.= org" --=20 Kenyeres M=E1rton