From owner-freebsd-security Sun Aug 4 20:18:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA13992 for security-outgoing; Sun, 4 Aug 1996 20:18:35 -0700 (PDT) Received: from www.sbq.org.br (sbq.sbq.org.br [143.108.1.102]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id UAA13987 for ; Sun, 4 Aug 1996 20:18:29 -0700 (PDT) Received: (from sbqadm@localhost) by www.sbq.org.br (8.6.12/FreeBSD2.1/8.6.12/SBQ) id AAA04628 for security@freebsd.org; Mon, 5 Aug 1996 00:20:29 GMT From: "Sociedade Brasileira de Quimica/Admin" Message-Id: <199608050020.AAA04628@www.sbq.org.br> Subject: rlogin vulnerability? To: security@freebsd.org Date: Mon, 5 Aug 1996 00:20:29 +0000 () X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello Sorry if this is a very stupid question but someone from the Linux camp told me FreeBSD may be vulnerable, also, to the following Linux security hole: >From: "Alexander O. Yuriev" To: linux-security@tarsier.cv.nrao.edu Cc: linux-alert@tarsier.cv.nrao.edu Subject: [linux-alert] LSF Update#11: Vulnerability of rlogin Date: Tue, 30 Jul 1996 18:11:00 -0400 [...] ============================================================================= ABSTRACT A vulnerability exists in the rlogin program of NetKitB-0.6 This vulnerability affects several widely used Linux distributions, including RedHat Linux 2.0, 2.1 and derived systems including Caldera Network Desktop, Slackware 3.0 and others. This vulnerability is not limited to Linux or any other free UNIX systems. Both the information about this vulnerability and methods of its expolit were made available on the Internet. RISK ASSESMENT Local and remote users could gain super-user priviledges Looking the diff between the patched Netkit and the previous one the guy found things like: ping.c - pr_addr(l) 998c998 < (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l)); --- > (void)snprintf(buf, 75, "%s", inet_ntoa(*(struct in_addr *)&l));1000c1000 < (void)sprintf(buf, "%s (%s)", hp->h_name, --- > (void)snprintf(buf, 75, "%s (%s)", hp->h_name, as FreeBSD (2.1.0 at least) has the same code for pr_addr(l) he concluded it has the same vulnerability. Thanks for any info on this Pedro From owner-freebsd-security Mon Aug 5 07:40:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA21553 for security-outgoing; Mon, 5 Aug 1996 07:40:40 -0700 (PDT) Received: from www.hsc.wvu.edu (www.hsc.wvu.edu [157.182.98.68]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA21547 for ; Mon, 5 Aug 1996 07:40:37 -0700 (PDT) Received: (from jsigmon@localhost) by www.hsc.wvu.edu (8.6.12/8.6.12) id KAA14877; Mon, 5 Aug 1996 10:41:46 -0400 Date: Mon, 5 Aug 1996 10:41:46 -0400 (EDT) From: Jeremy Sigmon To: Nathan Lawson cc: Brandon Gillespie , freebsd-security@freebsd.org Subject: Re: Crack 4.1 patches for FBSD In-Reply-To: <199608030513.WAA02366@kdat.calpoly.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Fri, 2 Aug 1996, Nathan Lawson wrote: > I'm actually interested in a 'secure' release of FreeBSD, with daemons not > running as root, no complicated mailers, few to no setuid binaries -- in > essence, what I do to my FreeBSD systems as soon as I install them. > > Unfortunately, I have recently started a very demanding job and do not have > the time to contribute to such a project. My apologies. > Even just a HTML checklist of your actions after installing FreeBSD would be nice to look at something like: * Install FreeBSD * Remove tftp from inetd because ... etc... From owner-freebsd-security Mon Aug 5 09:33:03 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA29027 for security-outgoing; Mon, 5 Aug 1996 09:33:03 -0700 (PDT) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.eu.org [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA29011 for ; Mon, 5 Aug 1996 09:33:00 -0700 (PDT) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.eu.org [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id SAA28152; Mon, 5 Aug 1996 18:32:51 +0200 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id SAA08484; Mon, 5 Aug 1996 18:32:24 +0200 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.Alpha.7/keltia-uucp-2.9) id GAA08545; Mon, 5 Aug 1996 06:58:08 +0200 (MET DST) Message-Id: <199608050458.GAA08545@keltia.freenix.fr> Date: Mon, 5 Aug 1996 06:58:08 +0200 From: roberto@keltia.freenix.fr (Ollivier Robert) To: sbqadm@sbq.org.br (Sociedade Brasileira de Quimica/Admin) Cc: security@freebsd.org Subject: Re: rlogin vulnerability? In-Reply-To: <199608050020.AAA04628@www.sbq.org.br>; from Sociedade Brasileira de Quimica/Admin on Aug 5, 1996 0:20:29 +0000 References: <199608050020.AAA04628@www.sbq.org.br> X-Mailer: Mutt 0.38 Mime-Version: 1.0 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk According to Sociedade Brasileira de Quimica/Admin: > ping.c - pr_addr(l) Interestingly enough, the diff is about pin, not rlogin. Anyway, it was fixed a while ago in 2.2-CURRENT: ---------------------------- revision 1.6 date: 1996/07/28 20:29:10; author: peter; state: Exp; lines: +3 -2 Limit the risk of `buf' overrun in ping.c when printing hostnames. Note, this is not really a security risk, because the buffer in question is a static variable in the data segment and not on the stack, and hence cannot subert the flow of execution in any way. About the worst case was that if you pinged a long hostname, ping could coredump. Pointed out on: bugtraq (listserv@netspace.org) ---------------------------- -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 2.2-CURRENT #17: Fri Aug 2 20:40:17 MET DST 1996 From owner-freebsd-security Mon Aug 5 13:02:05 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA15383 for security-outgoing; Mon, 5 Aug 1996 13:02:05 -0700 (PDT) Received: from janus.saturn.net (root@janus.saturn.net [206.42.0.10]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA15376 for ; Mon, 5 Aug 1996 13:02:03 -0700 (PDT) Received: from tcpip (tcpip [206.42.2.27]) by janus.saturn.net (8.7.4/8.6.9) with SMTP id QAA07043; Mon, 5 Aug 1996 16:01:22 -0400 Date: Mon, 5 Aug 1996 16:00:05 -0400 (EDT) From: Brian Mitchell X-Sender: brian@tcpip To: Ollivier Robert cc: Sociedade Brasileira de Quimica/Admin , security@freebsd.org Subject: Re: rlogin vulnerability? In-Reply-To: <199608050458.GAA08545@keltia.freenix.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 5 Aug 1996, Ollivier Robert wrote: > According to Sociedade Brasileira de Quimica/Admin: > > ping.c - pr_addr(l) > > Interestingly enough, the diff is about pin, not rlogin. Anyway, it was > fixed a while ago in 2.2-CURRENT: > > ---------------------------- > revision 1.6 > date: 1996/07/28 20:29:10; author: peter; state: Exp; lines: +3 -2 > Limit the risk of `buf' overrun in ping.c when printing hostnames. > > Note, this is not really a security risk, because the buffer in question > is a static variable in the data segment and not on the stack, and hence > cannot subert the flow of execution in any way. About the worst case was > that if you pinged a long hostname, ping could coredump. This is not true, the function is not used when you enter a hostname. It is used when you get a non-echoreply packet when you are in -v mode, thats the only time it is called. Brian Mitchell brian@saturn.net "I never give them hell. I just tell the truth and they think it's hell" - H. Truman From owner-freebsd-security Tue Aug 6 01:52:18 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA06296 for security-outgoing; Tue, 6 Aug 1996 01:52:18 -0700 (PDT) Received: from nervosa.vendetta.com (coredump@nervosa.vendetta.com [192.187.167.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA06290 for ; Tue, 6 Aug 1996 01:52:15 -0700 (PDT) Received: from localhost (coredump@localhost) by nervosa.vendetta.com (8.7.5/8.7.3) with SMTP id BAA03110 for ; Tue, 6 Aug 1996 01:52:11 -0700 (PDT) Date: Tue, 6 Aug 1996 01:52:10 -0700 (PDT) From: Chris Layne To: freebsd-security@freebsd.org Subject: am I the only one? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk But has anyone else noticed that ssh takes like 5 seconds to establish a connection as compared to rlogin's 1-2 ? == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.vendetta.com == http://nervosa.vendetta.com/~coredump == From owner-freebsd-security Tue Aug 6 01:58:37 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA06610 for security-outgoing; Tue, 6 Aug 1996 01:58:37 -0700 (PDT) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA06602 for ; Tue, 6 Aug 1996 01:58:33 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.5/8.6.5) with SMTP id BAA19896; Tue, 6 Aug 1996 01:58:05 -0700 (PDT) Message-Id: <199608060858.BAA19896@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: Chris Layne cc: freebsd-security@freebsd.org Subject: Re: am I the only one? In-reply-to: Your message of "Tue, 06 Aug 1996 01:52:10 PDT." From: David Greenman Reply-To: dg@root.com Date: Tue, 06 Aug 1996 01:58:05 -0700 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >But has anyone else noticed that ssh takes like 5 seconds to establish a >connection as compared to rlogin's 1-2 ? 1024 bit keys do take a bit of time to decrypt. Get a faster computer... -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Tue Aug 6 02:00:39 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA06754 for security-outgoing; Tue, 6 Aug 1996 02:00:39 -0700 (PDT) Received: from nervosa.vendetta.com (coredump@nervosa.vendetta.com [192.187.167.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id CAA06744 for ; Tue, 6 Aug 1996 02:00:31 -0700 (PDT) Received: from localhost (coredump@localhost) by nervosa.vendetta.com (8.7.5/8.7.3) with SMTP id CAA03248; Tue, 6 Aug 1996 02:00:23 -0700 (PDT) Date: Tue, 6 Aug 1996 02:00:22 -0700 (PDT) From: Chris Layne To: David Greenman cc: freebsd-security@freebsd.org Subject: Re: am I the only one? In-Reply-To: <199608060858.BAA19896@root.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 6 Aug 1996, David Greenman wrote: > 1024 bit keys do take a bit of time to decrypt. Get a faster computer... > > -DG Oh okay! I never thought it would have been easier! :P Anyway of decreasing the key length? == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.vendetta.com == http://nervosa.vendetta.com/~coredump == From owner-freebsd-security Tue Aug 6 02:32:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA07940 for security-outgoing; Tue, 6 Aug 1996 02:32:43 -0700 (PDT) Received: from asterix.insight.co.za (asterix.insight.co.za [196.27.7.9]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id CAA07934 for ; Tue, 6 Aug 1996 02:32:38 -0700 (PDT) Received: by asterix.insight.co.za (Smail3.1.29.1 #1) id m0uniV9-000v1KC; Tue, 6 Aug 96 11:32 SAT Message-Id: From: jvisagie@insight.co.za (Johann Visagie) Subject: Re: am I the only one? To: coredump@nervosa.vendetta.com (Chris Layne) Date: Tue, 6 Aug 1996 11:32:35 +0200 (SAT) Cc: freebsd-security@freebsd.org In-Reply-To: from "Chris Layne" at Aug 6, 96 01:52:10 am X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Chris Layne wrote: > > But has anyone else noticed that ssh takes like 5 seconds to establish a > connection as compared to rlogin's 1-2 ? Put ssh in verbose mode with -v sometime to get an idea of all the things it needs to do in order to establish a connection. -- V Johann Visagie | Email: jvisagie@insight.co.za | Tel: +27 83 777-4260 From owner-freebsd-security Tue Aug 6 06:16:50 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA18120 for security-outgoing; Tue, 6 Aug 1996 06:16:50 -0700 (PDT) Received: from vespucci.iquest.com (vespucci.iquest.com [199.170.120.42]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id GAA18112 for ; Tue, 6 Aug 1996 06:16:47 -0700 (PDT) Received: from localhost (b@localhost) by vespucci.iquest.com (8.6.12/8.6.9 Secure) with SMTP id IAA03782; Tue, 6 Aug 1996 08:16:28 -0500 Date: Tue, 6 Aug 1996 08:16:28 -0500 (CDT) From: b To: Chris Layne cc: freebsd-security@freebsd.org Subject: Re: am I the only one? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 6 Aug 1996, Chris Layne wrote: > But has anyone else noticed that ssh takes like 5 seconds to establish a > connection as compared to rlogin's 1-2 ? ssh has to generate a key, where rlogin does not. b From owner-freebsd-security Tue Aug 6 07:25:07 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA20912 for security-outgoing; Tue, 6 Aug 1996 07:25:07 -0700 (PDT) Received: from riverside.mr.net (root@Riverside.MR.Net [137.192.2.5]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA20906 for ; Tue, 6 Aug 1996 07:25:04 -0700 (PDT) Received: from galileo.mr.net by riverside.mr.net (8.7.5/SMI-4.1.R931202) id JAA11986; Tue, 6 Aug 1996 09:24:57 -0500 (CDT) Received: (from black@localhost) by galileo.mr.net (8.7.5/8.7.2) id JAA12887; Tue, 6 Aug 1996 09:24:54 -0500 (CDT) From: Ben Black Message-Id: <199608061424.JAA12887@galileo.mr.net> Subject: Re: am I the only one? To: coredump@nervosa.vendetta.com (Chris Layne) Date: Tue, 6 Aug 1996 09:24:53 -0500 (CDT) Cc: freebsd-security@FreeBSD.org In-Reply-To: from "Chris Layne" at Aug 6, 96 01:52:10 am X-Mailer: ELM [version 2.4 PL24 ME7a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk ssh is negotiating session parameters and starting up a new sshd process. try breaking the connection before negotiation is complete, then opening a new connection. it will connect all the way through almost immediately. Ben > > But has anyone else noticed that ssh takes like 5 seconds to establish a > connection as compared to rlogin's 1-2 ? > > == Chris Layne ======================================== Nervosa Computing == > == coredump@nervosa.vendetta.com == http://nervosa.vendetta.com/~coredump == > From owner-freebsd-security Tue Aug 6 08:46:15 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA25611 for security-outgoing; Tue, 6 Aug 1996 08:46:15 -0700 (PDT) Received: from janus.saturn.net (root@janus.saturn.net [206.42.0.10]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA25604 for ; Tue, 6 Aug 1996 08:46:09 -0700 (PDT) Received: from tcpip (tcpip [206.42.2.27]) by janus.saturn.net (8.7.4/8.6.9) with SMTP id LAA17730; Tue, 6 Aug 1996 11:45:59 -0400 Date: Tue, 6 Aug 1996 11:44:52 -0400 (EDT) From: Brian Mitchell X-Sender: brian@tcpip To: Johann Visagie cc: Chris Layne , freebsd-security@freebsd.org Subject: Re: am I the only one? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 6 Aug 1996, Johann Visagie wrote: > Chris Layne wrote: > > > > But has anyone else noticed that ssh takes like 5 seconds to establish a > > connection as compared to rlogin's 1-2 ? > > Put ssh in verbose mode with -v sometime to get an idea of all the things it > needs to do in order to establish a connection. Or just read the pseudo-rfc to get a real idea of what it is doing. Brian Mitchell brian@saturn.net "I never give them hell. I just tell the truth and they think it's hell" - H. Truman From owner-freebsd-security Tue Aug 6 10:23:32 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA01426 for security-outgoing; Tue, 6 Aug 1996 10:23:32 -0700 (PDT) Received: from orion.webspan.net (root@orion.webspan.net [206.154.70.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA01421 for ; Tue, 6 Aug 1996 10:23:30 -0700 (PDT) Received: from orion.webspan.net (scanner@orion.webspan.net [206.154.70.41]) by orion.webspan.net (8.7.5/8.6.12) with SMTP id NAA27127; Tue, 6 Aug 1996 13:21:56 -0400 (EDT) Date: Tue, 6 Aug 1996 13:21:55 -0400 (EDT) From: Scanner To: Chris Layne cc: freebsd-security@freebsd.org Subject: Re: am I the only one? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 6 Aug 1996, Chris Layne wrote: > But has anyone else noticed that ssh takes like 5 seconds to establish a > connection as compared to rlogin's 1-2 ? You have to understand that ssh takes longer because its negotiating encrypted keys between 2 hosts rlogin does barely any authentication. -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.5 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net http://www.freebsd.org | SysAdmin / Network Engineer / Security ===================================| Member BSDNET team! http://www.bsdnet.org From owner-freebsd-security Tue Aug 6 10:33:47 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA02422 for security-outgoing; Tue, 6 Aug 1996 10:33:47 -0700 (PDT) Received: from nervosa.vendetta.com (coredump@nervosa.vendetta.com [192.187.167.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA02360 for ; Tue, 6 Aug 1996 10:33:36 -0700 (PDT) Received: from localhost (coredump@localhost) by nervosa.vendetta.com (8.7.5/8.7.3) with SMTP id KAA03988 for ; Tue, 6 Aug 1996 10:33:12 -0700 (PDT) Date: Tue, 6 Aug 1996 10:33:11 -0700 (PDT) From: Chris Layne To: freebsd-security@freebsd.org Subject: hmmm Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [coredump@nervosa] ~> ssh -f satania xterm [coredump@nervosa] ~> term: Undefined variable. xterm: Command not found. How does one specify the path via ssh? == Chris Layne ======================================== Nervosa Computing == == coredump@nervosa.vendetta.com == http://nervosa.vendetta.com/~coredump == From owner-freebsd-security Tue Aug 6 11:31:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA07384 for security-outgoing; Tue, 6 Aug 1996 11:31:29 -0700 (PDT) Received: from orion.webspan.net (root@orion.webspan.net [206.154.70.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA07379 for ; Tue, 6 Aug 1996 11:31:27 -0700 (PDT) Received: from orion.webspan.net (scanner@orion.webspan.net [206.154.70.41]) by orion.webspan.net (8.7.5/8.6.12) with SMTP id OAA02709; Tue, 6 Aug 1996 14:30:59 -0400 (EDT) Date: Tue, 6 Aug 1996 14:30:58 -0400 (EDT) From: Scanner To: Chris Layne cc: freebsd-security@freebsd.org Subject: Re: hmmm In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 6 Aug 1996, Chris Layne wrote: > [coredump@nervosa] ~> ssh -f satania xterm > [coredump@nervosa] ~> term: Undefined variable. > xterm: Command not found. > > How does one specify the path via ssh? For me this is how i opened up an xterm to my main shell box: # This is the root menu AddToMenu RootMenu "Root Menu" Title + "Xterm" Exec exec color_xterm +sb -sl 2048 -ut -bg black -fg white & Sorry if this truncates, but you get the idea, throw that in your .fvwmrc or whatever and poof off you go. -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.5 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net http://www.freebsd.org | SysAdmin / Network Engineer / Security ===================================| Member BSDNET team! http://www.bsdnet.org From owner-freebsd-security Tue Aug 6 11:42:38 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA08214 for security-outgoing; Tue, 6 Aug 1996 11:42:38 -0700 (PDT) Received: from mdi.meridian-data.com (mdi.meridian-data.com [204.94.131.10]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA08206 for ; Tue, 6 Aug 1996 11:42:36 -0700 (PDT) Received: from smtpgate.meridian-data.com (smtpgate.meridian-data.com [204.94.132.12]) by mdi.meridian-data.com (8.6.11/8.6.9) with SMTP id LAA27650 for ; Tue, 6 Aug 1996 11:27:49 -0700 Received: from ccMail by smtpgate.meridian-data.com (SMTPLINK V2.10.08) id AA839356845; Tue, 06 Aug 96 11:39:58 PST Date: Tue, 06 Aug 96 11:39:58 PST From: "Eric Wedel" Encoding: 13 Text, 34 Text Message-Id: <9607068393.AA839356845@smtpgate.meridian-data.com> To: security@freebsd.org Subject: Re: PAM login programs? Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi.. is anything PAM-like in the works for FreeBSD? Eric -------------------------------------------- Josh Wilmes: > I was wondering if you'd heard of anyone making a complete set of login/etc.. > replacesments to use the PAM (Pluggable Authentication Modules) as described > by DCE RFC 86.0 (http://www.pilgrim.umass.edu/pub/osf_dce/RFC/rfc86.0.txt). A free PAM implementation for Linux is under development, see http://gluon.physics.ucla.edu/~morgan/pam/ for more information. Marek Received: from mdi.meridian-data.com by smtpgate.meridian-data.com (SMTPLINK V2.10.08) ; Tue, 06 Aug 96 10:27:54 PST Return-Path: Received: from brimstone.netspace.org ([128.148.157.143]) by mdi.meridian-data.com (8.6.11/8.6.9) with ESMTP id KAA25878 for ; Tue, 6 Aug 1996 10:14:50 -0700 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <24591-23481>; Tue, 6 Aug 1996 13:27:49 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id NAA19918; Tue, 6 Aug 1996 13:22:28 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 213444 for BUGTRAQ@NETSPACE.ORG; Tue, 6 Aug 1996 13:10:15 -0400 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id NAA18381 for ; Tue, 6 Aug 1996 13:08:27 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from plearn.edu.pl (plearn.edu.pl [148.81.18.1]) by netspace.org (8.7/8.6.12) with SMTP id MAA11203 for ; Tue, 6 Aug 1996 12:07:19 -0400 Received: from i17linuxb.ists.pwr.wroc.pl by plearn.edu.pl (IBM VM SMTP V2R1) with TCP; Tue, 06 Aug 96 18:05:49 CET Received: (from marekm@localhost) by i17linuxb.ists.pwr.wroc.pl (8.6.12/8.6.9) id SAA14491 for BUGTRAQ%NETSPACE.ORG@plearn.edu.pl; Tue, 6 Aug 1996 18:07:11 +0200 X-Mailer: ELM [version 2.4 PL23] Content-Type: text Approved-By: Marek Michalkiewicz Message-ID: <199608061607.SAA14491@i17linuxb.ists.pwr.wroc.pl> Date: Tue, 6 Aug 1996 18:07:11 +0200 Reply-To: Bugtraq List Sender: Bugtraq List From: Marek Michalkiewicz Subject: Re: PAM login programs? X-To: BUGTRAQ%NETSPACE.ORG@plearn.edu.pl To: Multiple recipients of list BUGTRAQ In-Reply-To: <199608051829.LAA25062@makita.jpl.nasa.gov> from "Josh Wilmes" at Aug 5, 96 11:29:28 am From owner-freebsd-security Tue Aug 6 12:19:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA13162 for security-outgoing; Tue, 6 Aug 1996 12:19:59 -0700 (PDT) Received: from cygnus.com (cygnus.com [140.174.1.1]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA13151 for ; Tue, 6 Aug 1996 12:19:56 -0700 (PDT) Received: from tweedledumb.cygnus.com (tweedledumb.cygnus.com [192.80.44.1]) by cygnus.com (8.6.12/8.6.9) with SMTP id MAA13000; Tue, 6 Aug 1996 12:08:41 -0700 Received: from kechara.flame.org by tweedledumb.cygnus.com (4.1/4.7) id AA03594; Tue, 6 Aug 96 15:08:39 EDT Received: (from explorer@localhost) by kechara.flame.org (8.7.5/8.6.9) id PAA10136; Tue, 6 Aug 1996 15:08:34 -0400 (EDT) To: Chris Layne Cc: David Greenman , freebsd-security@freebsd.org Subject: Re: am I the only one? References: From: Michael Graff Date: 06 Aug 1996 15:08:33 -0400 In-Reply-To: Chris Layne's message of Tue, 6 Aug 1996 02:00:22 -0700 (PDT) Message-Id: Lines: 13 X-Mailer: Gnus v5.2.36/Emacs 19.31 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Chris Layne writes: > > 1024 bit keys do take a bit of time to decrypt. Get a faster computer... > > > > -DG > > Oh okay! I never thought it would have been easier! :P Anyway of > decreasing the key length? Oh come on... Even a slow 386 can barely notice the difference between a 1024 and 768 bit key... --Michael From owner-freebsd-security Tue Aug 6 17:36:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA18172 for security-outgoing; Tue, 6 Aug 1996 17:36:58 -0700 (PDT) Received: (from julian@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA18149; Tue, 6 Aug 1996 17:36:55 -0700 (PDT) Date: Tue, 6 Aug 1996 17:36:55 -0700 (PDT) From: Julian Elischer Message-Id: <199608070036.RAA18149@freefall.freebsd.org> To: hackers Subject: I have 3 patches Cc: security Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I'd like to submit and check in 2 pathches. they add functionality to inetd and ftpd$ Basically they allow each to run against a single interface. This allows a machine to present totally different services on the inside and outside of a firewall system. The patches are on freefall in ~julian or in www.whistle.com/people/julian I'd like to commit them soon (tomorrow?) julian From owner-freebsd-security Tue Aug 6 20:42:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA00610 for security-outgoing; Tue, 6 Aug 1996 20:42:06 -0700 (PDT) Received: from ec.camitel.com ([206.231.123.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA00590 for ; Tue, 6 Aug 1996 20:41:59 -0700 (PDT) Received: from jaba.ec.camitel.com (m0.ec.camitel.com [206.231.123.150]) by ec.camitel.com (8.7.5/8.7.3) with SMTP id XAA01415; Tue, 6 Aug 1996 23:39:54 GMT Message-ID: X-Mailer: XFMail 0.5-alpha [p0] on FreeBSD Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit MIME-Version: 1.0 In-Reply-To: <199608030513.WAA02366@kdat.calpoly.edu> Date: Tue, 06 Aug 1996 19:27:31 -0000 () Organization: Labyrinthe Bbs 8-) From: Luc Chamberland To: Nathan Lawson Subject: Re: Crack 4.1 patches for FBSD Cc: (Brandon Gillespie) Cc: (Brandon Gillespie) , freebsd-security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >I'm actually interested in a 'secure' release of FreeBSD, with daemons not >running as root, no complicated mailers, few to no setuid binaries -- in >essence, what I do to my FreeBSD systems as soon as I install them. > >Unfortunately, I have recently started a very demanding job and do not have >the time to contribute to such a project. My apologies. > >-- >Nate Lawson "There are a thousand hacking at the branches of >CPE Senior evil to one who is striking at the root." >CSL Admin -- Henry David Thoreau, 'Walden', 1854 The FreeBSD on a scale of 10, how many points do you gives for security? FreeBSD seems insecure for you!, this is same for all intruders!!!! Wolfrider []-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=--=-=-=-=-=[] | E-Mail : Luc Chamberland | Date: 08/06/96 | Time: 19:27:31 | Programmeur, Electro-Conception []-=-=-=-=-=-=-=-=--=-=-=-=--=-=-=-=-=-=-=-=-=[] Il n'y a pas de jours sans bonheur.... Il n'y a que des jours ou nous sommes aveugles! From owner-freebsd-security Wed Aug 7 09:24:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA13338 for security-outgoing; Wed, 7 Aug 1996 09:24:21 -0700 (PDT) Received: from zed.ludd.luth.se (root@zed.ludd.luth.se [130.240.16.33]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA13324 for ; Wed, 7 Aug 1996 09:24:17 -0700 (PDT) Received: from obie.ludd.luth.se (obie.ludd.luth.se [130.240.16.24]) by zed.ludd.luth.se (8.7.5/8.7.2) with ESMTP id SAA05096; Wed, 7 Aug 1996 18:24:02 +0200 Received: (pantzer@localhost) by obie.ludd.luth.se (8.6.11/8.6.11) id SAA24889; Wed, 7 Aug 1996 18:24:00 +0200 Date: Wed, 7 Aug 1996 18:23:59 +0200 (MET DST) From: Mattias Pantzare To: Chris Layne cc: freebsd-security@FreeBSD.ORG Subject: Re: hmmm In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > [coredump@nervosa] ~> ssh -f satania xterm > [coredump@nervosa] ~> term: Undefined variable. > xterm: Command not found. > > How does one specify the path via ssh? What path? To xterm? Just write ssh -f satania /usr/X11R6/bin/xterm or something like that... Or put your X11 directory in your path. From owner-freebsd-security Wed Aug 7 09:32:09 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA14474 for security-outgoing; Wed, 7 Aug 1996 09:32:09 -0700 (PDT) Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id JAA14466 for ; Wed, 7 Aug 1996 09:32:08 -0700 (PDT) Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id JAA02642; Wed, 7 Aug 1996 09:32:04 -0700 From: Nathan Lawson Message-Id: <199608071632.JAA02642@kdat.calpoly.edu> Subject: Two problems I have with FreeBSD security To: lchamber@ec.camitel.com (Luc Chamberland) Date: Wed, 7 Aug 1996 09:32:04 -0700 (PDT) Cc: freebsd-security@freebsd.org In-Reply-To: from "Luc Chamberland" at Aug 6, 96 07:27:31 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > >I'm actually interested in a 'secure' release of FreeBSD, with daemons not > >running as root, no complicated mailers, few to no setuid binaries -- in > >essence, what I do to my FreeBSD systems as soon as I install them. > > > >Unfortunately, I have recently started a very demanding job and do not have > >the time to contribute to such a project. My apologies. > > The FreeBSD on a scale of 10, how many points do you gives for security? > FreeBSD seems insecure for you!, this is same for all intruders!!!! I'd give FreeBSD an 8. Usually, patches for security holes come out very quickly, and the developers are reachable. I took one point off of ten because of the legacy issues (refusals to relinquish bin ownership of files in /bin and /usr/bin) and one for too much desire to cater to new users at the expense of security (setuid root ppp/sliplogin... Why can't these be setgid uucp to open the modem device?) If the developers handled these two issues, I think I'd upgrade my rating to a 9.5. :-) -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854 From owner-freebsd-security Wed Aug 7 09:40:51 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA15895 for security-outgoing; Wed, 7 Aug 1996 09:40:51 -0700 (PDT) Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id JAA15886 for ; Wed, 7 Aug 1996 09:40:49 -0700 (PDT) Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id JAA02650; Wed, 7 Aug 1996 09:37:15 -0700 From: Nathan Lawson Message-Id: <199608071637.JAA02650@kdat.calpoly.edu> Subject: Re: hmmm To: coredump@nervosa.vendetta.com (Chris Layne) Date: Wed, 7 Aug 1996 09:37:15 -0700 (PDT) In-Reply-To: from "Chris Layne" at Aug 6, 96 10:33:11 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > [coredump@nervosa] ~> ssh -f satania xterm > [coredump@nervosa] ~> term: Undefined variable. > xterm: Command not found. > > How does one specify the path via ssh? Chris: please quit sending ssh questions to FreeBSD-Security. They are irrelevant to the host OS. There is an ssh user's mailing list. Check ftp on cs.hut.fi for a README and the list address. FreeBSD-Security readers: Please do not send replies to general Unix questions to the list. Yes, I know you want to see your name in lights, but that's what newsgroups are for. Instead, gently encourage the sender privately to take their questions to the proper forum. Thanks, -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854 From owner-freebsd-security Wed Aug 7 23:18:16 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA13713 for security-outgoing; Wed, 7 Aug 1996 23:18:16 -0700 (PDT) Received: from scapa.cs.ualberta.ca (root@scapa.cs.ualberta.ca [129.128.4.44]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA13708 for ; Wed, 7 Aug 1996 23:18:15 -0700 (PDT) Received: from ve6kik by scapa.cs.ualberta.ca with UUCP id <13071-14786>; Thu, 8 Aug 1996 00:18:01 -0600 Received: from alive.ampr.ab.ca by ve6kik.ampr.ab.ca with uucp (Smail3.1.28.1 #5) id m0uoOFp-000OHOC; Thu, 8 Aug 96 00:07 WET DST Received: by alive.ampr.ab.ca (Linux Smail3.1.29.1 #2) id m0uoO7X-00028EC; Wed, 7 Aug 96 23:58 MDT Date: Wed, 7 Aug 1996 23:58:58 -0600 (MDT) From: Marc Slemko To: freebsd-security@freebsd.org Subject: Re: Two problems I have with FreeBSD security In-Reply-To: <199608071632.JAA02642@kdat.calpoly.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 7 Aug 1996, Nathan Lawson wrote: > the expense of security (setuid root ppp/sliplogin... Why can't these be > setgid uucp to open the modem device?) Both programs need to do things such as modify routes and interfaces, which can not be done except as root. There are a couple of possible workarounds to avoid making the programs setuid root, but it all comes down to the fact that, under the current BSD kernel (along with most other Unix kernels), you need to be root to do some of what ppp and sliplogin do. -- Marc Slemko 1:342/1003@fidonet marcs@alive.ampr.ab.ca marcs@alive.ersys.edmonton.ab.ca From owner-freebsd-security Thu Aug 8 05:32:14 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA04242 for security-outgoing; Thu, 8 Aug 1996 05:32:14 -0700 (PDT) Received: from ec.camitel.com ([206.231.123.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id FAA04237 for ; Thu, 8 Aug 1996 05:32:12 -0700 (PDT) Received: from jaba.ec.camitel.com (m0.ec.camitel.com [206.231.123.150]) by ec.camitel.com (8.7.5/8.7.3) with SMTP id IAA16548; Thu, 8 Aug 1996 08:30:49 GMT Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Message-ID: X-Mailer: XFMail 0.5-alpha [p0] on FreeBSD In-Reply-To: <199608071632.JAA02642@kdat.calpoly.edu> Date: Wed, 07 Aug 1996 23:42:50 -0000 () Organization: Labyrinthe Bbs 8-) From: Luc Chamberland To: Nathan Lawson Subject: RE: Two problems I have with FreeBSD security Cc: freebsd-security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On 07-Aug-96 Nathan Lawson wrote: >>> >I'm actually interested in a 'secure' release of FreeBSD, with daemons not >> >running as root, no complicated mailers, few to no setuid binaries -- in >> >essence, what I do to my FreeBSD systems as soon as I install them. >> > >> >Unfortunately, I have recently started a very demanding job and do not have >> >the time to contribute to such a project. My apologies. >> >> The FreeBSD on a scale of 10, how many points do you gives for security? >> FreeBSD seems insecure for you!, this is same for all intruders!!!! > >I'd give FreeBSD an 8. Usually, patches for security holes come out very >quickly, and the developers are reachable. I took one point off of ten >because of the legacy issues (refusals to relinquish bin ownership of files >in /bin and /usr/bin) and one for too much desire to cater to new users at >the expense of security (setuid root ppp/sliplogin... Why can't these be >setgid uucp to open the modem device?) > >If the developers handled these two issues, I think I'd upgrade my rating to >a 9.5. :-) > In this case, where you cut off the last .5???? 8-) and how much do you give t o Unix System V release 4 and why? HAve a nice day Wolfrider >-- >Nate Lawson "There are a thousand hacking at the branches of >CPE Senior evil to one who is striking at the root." >CSL Admin -- Henry David Thoreau, 'Walden', 1854 []-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=--=-=-=-=-=[] | E-Mail : Luc Chamberland | Date: 08/07/96 | Time: 23:42:50 | Programmeur, Electro-Conception []-=-=-=-=-=-=-=-=--=-=-=-=--=-=-=-=-=-=-=-=-=[] Il n'y a pas de jours sans bonheur.... Il n'y a que des jours ou nous sommes aveugles! ur, Electro-Conception []-=-=-=-=-=-=-=-=--=-=-=-=--=-=-=-=-=-=-=-=-=[] Il n'y a pas de jours sans bonheur.... Il n'y a que des jours ou nous sommes aveugles! From owner-freebsd-security Thu Aug 8 22:04:04 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA07501 for security-outgoing; Thu, 8 Aug 1996 22:04:04 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA07468 for ; Thu, 8 Aug 1996 22:04:01 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by who.cdrom.com (8.7.5/8.6.11) with ESMTP id UAA02907 for ; Thu, 8 Aug 1996 20:48:44 -0700 (PDT) Received: from rover.village.org (localhost [127.0.0.1]) by rover.village.org (8.7.5/8.6.6) with ESMTP id VAA07285 for ; Thu, 8 Aug 1996 21:48:19 -0600 (MDT) Message-Id: <199608090348.VAA07285@rover.village.org> To: security@freebsd.org Subject: rdist holes and such. Date: Thu, 08 Aug 1996 21:48:19 -0600 From: Warner Losh Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk FYI. I don't think that FreeBSD is vulnerable, but I thought I'd pass this along just in case. It is from bugtraq, and edited by me. I hope I didn't drop anything. Looking at the commit messages go by, I'd say this was a very complete code review of the entire rdist source. Todd Miller and I have a beer from time to time and he's a good guy. Someone with more time on their hands than myself might want to see if there is anything here that the FreeBSD sources might be lacking. Warner ------- Forwarded Message [ Headers edited by imp ] Date: Thu, 8 Aug 1996 20:20:21 -0600 Sender: Bugtraq List From: Theo de Raadt Subject: Re: /etc/shells (was Re: procmail) To: Multiple recipients of list BUGTRAQ [...] Ob. Security hole fix: If anyone wants to see a really secure rdist setup that solves all the problems (all the problems *I* know about..), take a look at the OpenBSD sources. - -r-xr-xr-x 1 root bin 212992 Aug 6 21:12 usr/bin/oldrdist* - -r-xr-xr-x 1 root bin 229376 Aug 6 21:12 usr/bin/rdist* - -r-xr-xr-x 1 root bin 163840 Aug 6 21:12 usr/bin/rdistd* Note they are not setuid. "oldrdist" is the old original rdist with all the known bugs fixed and modified to callout to "rsh" for setting up the connection. The "rsh" callout code is borrowed from new "rdist"; "rdist" is the latest 6.1 version with some more fixes by us. Since "oldrdist" and new "rdist" are not protocol compatible, it is important to have both. New "rdist" was written to know how to callout to "oldrdist" if it discovers the older protocol (or something like that). I am also happy to see that new "rdist" uses mkstemp() which makes it `safer' to ship a dist which contain writable directories. Thanks to Todd Miller for doing most of this work, I'm quite happy with it (I noted some of the problems but did none of the fixing) Who knows, some of you might indirectly benefit from this stuff. ------- End of Forwarded Message From owner-freebsd-security Fri Aug 9 22:04:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA03947 for security-outgoing; Fri, 9 Aug 1996 22:04:28 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA03919 for ; Fri, 9 Aug 1996 22:04:14 -0700 (PDT) Received: from rover.village.org (localhost [127.0.0.1]) by rover.village.org (8.7.5/8.6.6) with ESMTP id XAA16408 for ; Fri, 9 Aug 1996 23:04:00 -0600 (MDT) Message-Id: <199608100504.XAA16408@rover.village.org> To: security@freebsd.org Subject: mhpower@mit.edu: BoS: Re: security limitation for RSAAuthentication with StrictModes Date: Fri, 09 Aug 1996 23:03:59 -0600 From: Warner Losh Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Noticed this in bos. I beleive that FreeBSD is shipped with user uucp and is home directory, /var/spool/uucppublic, is world writable. At least that's how it was on my system and I never setup uucp :-(. People might want to take a look at this. A quick chmod 0 ~uucp fixed it for me :-). Warner ------- Forwarded Message From: mhpower@mit.edu To: ssh@clinet.fi Cc: BUGTRAQ@netspace.org Date: Fri, 09 Aug 1996 18:47:40 EDT Sender: spacey@aleph.sensenet.com Subject: BoS: Re: security limitation for RSAAuthentication with StrictModes At http://www.cs.hut.fi/ssh/ssh-archive/messages/960801-062205-21029, there's a description of a security problem affecting sshd version 1.2.14 and some (possibly all) earlier versions that supported RSA based authentication. One consequence of the problem is that local users may be able to run processes with the uid of "nobody", "uucp", or other accounts that have publicly writeable home directories. The RSA authentication method allows logins based in part on a public key normally stored in $HOME/.ssh/authorized_keys. sshd does not check the ownership or permissions of this file, regardless of the setting of StrictModes in the configuration file. In other words, unlike the usual ownership checking done by (for example) sendmail on .forward files and rlogind on .rhosts files, sshd will process the contents of the file in the same way regardless of the uid of the file owner. Systems that are known to be vulnerable may include: Debian Linux, including version 1.1, and specifically including versions 1.1.0-13 and 1.1.0-14 of the "base" package. Check /etc/passwd for: nobody:*:65534:65534:nobody:/tmp:/bin/sh SunOS versions outside of the Solaris 2.x series, including SunOS 4.1.4. Check /etc/passwd for: uucp:*:4:8::/var/spool/uucppublic: Other systems that have /etc/passwd entries specifying a useful shell (or no shell) and a publicly writeable home directory. Example exploit procedure for Debian Linux (this assumes that your home directory is the same on "linuxhost" and "otherhost"): linuxhost% ssh-keygen linuxhost% mkdir /tmp/.ssh linuxhost% cp $HOME/.ssh/identity.pub /tmp/.ssh/authorized_keys otherhost% ssh linuxhost -l nobody Possible actions: Read and, if appropriate, apply the patch to ssh version 1.2.14 in http://www.cs.hut.fi/ssh/ssh-archive/messages/960801-062205-21029 Check whether your system has any accounts whose home directory unnecessarily grants write access to other users. If needed, create /tmp/.ssh and/or /var/spool/uucppublic/.ssh and confirm that other users cannot remove these files. If you decide to alter the /etc/passwd line for nobody on your Debian Linux system, ensure that you will not be adversely affecting processes that run as user nobody on your system, e.g., see http://www.cl.cam.ac.uk/users/iwj10/debian-bugs/db/2920.html If you have a SunOS system that is not running uucp, consider whether it may be worthwhile to remove the uucp account and/or remove the directory /var/spool/uucppublic. Other aspects of impact: On Debian Linux systems, functions that normally run as user nobody may include the entries for finger and ident in /etc/inetd.conf, and the updatedb entry in /etc/cron.daily/find. Unauthorized users maybe be able to interfere with these functions. There may also be other software configured to run as user nobody, e.g., httpd. On SunOS systems, having the uid of uucp may allow you to interfere with uucp networking. Also, it is possible that the directory /var/spool/uucppublic is on an NFS filesystem. In this case, a user able to create /var/spool/uucppublic/.ssh/authorized_keys from one host may then be able to login to other hosts that his own account is not permitted to access, perhaps including file servers. Matt Power mhpower@mit.edu ------- End of Forwarded Message From owner-freebsd-security Sat Aug 10 10:18:57 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA09114 for security-outgoing; Sat, 10 Aug 1996 10:18:57 -0700 (PDT) Received: from www.sbq.org.br (sbq.sbq.org.br [143.108.1.102]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA09086 for ; Sat, 10 Aug 1996 10:18:54 -0700 (PDT) Received: (from sbqadm@localhost) by www.sbq.org.br (8.6.12/FreeBSD2.1/8.6.12/SBQ) id OAA21198 for security@freebsd.org; Sat, 10 Aug 1996 14:13:23 GMT From: "Sociedade Brasileira de Quimica/Admin" Message-Id: <199608101413.OAA21198@www.sbq.org.br> Subject: [CVV] security limitation for RSAAuthentication with StrictModes) (fwd) To: security@freebsd.org Date: Sat, 10 Aug 1996 14:13:20 +0000 () X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello It seems only the uccp account is vulnerable to this flaw in FreeBSD. Pedro > > At http://www.cs.hut.fi/ssh/ssh-archive/messages/960801-062205-21029, > there's a description of a security problem affecting sshd version > 1.2.14 and some (possibly all) earlier versions that supported RSA > based authentication. One consequence of the problem is that local > users may be able to run processes with the uid of "nobody", "uucp", > or other accounts that have publicly writeable home directories. > > The RSA authentication method allows logins based in part on a public > key normally stored in $HOME/.ssh/authorized_keys. sshd does not check > the ownership or permissions of this file, regardless of the setting > of StrictModes in the configuration file. In other words, unlike the > usual ownership checking done by (for example) sendmail on .forward > files and rlogind on .rhosts files, sshd will process the contents of > the file in the same way regardless of the uid of the file owner. > > Systems that are known to be vulnerable may include: > > Debian Linux, including version 1.1, and specifically including > versions 1.1.0-13 and 1.1.0-14 of the "base" package. Check > /etc/passwd for: nobody:*:65534:65534:nobody:/tmp:/bin/sh > > SunOS versions outside of the Solaris 2.x series, including SunOS > 4.1.4. Check /etc/passwd for: uucp:*:4:8::/var/spool/uucppublic: > > Other systems that have /etc/passwd entries specifying a useful > shell (or no shell) and a publicly writeable home directory. > > Example exploit procedure for Debian Linux (this assumes that your > home directory is the same on "linuxhost" and "otherhost"): > > linuxhost% ssh-keygen > linuxhost% mkdir /tmp/.ssh > linuxhost% cp $HOME/.ssh/identity.pub /tmp/.ssh/authorized_keys > otherhost% ssh linuxhost -l nobody > > Possible actions: > > Read and, if appropriate, apply the patch to ssh version 1.2.14 in > http://www.cs.hut.fi/ssh/ssh-archive/messages/960801-062205-21029 > > Check whether your system has any accounts whose home directory > unnecessarily grants write access to other users. > > If needed, create /tmp/.ssh and/or /var/spool/uucppublic/.ssh and > confirm that other users cannot remove these files. > > If you decide to alter the /etc/passwd line for nobody on your > Debian Linux system, ensure that you will not be adversely > affecting processes that run as user nobody on your system, e.g., > see http://www.cl.cam.ac.uk/users/iwj10/debian-bugs/db/2920.html > > If you have a SunOS system that is not running uucp, consider > whether it may be worthwhile to remove the uucp account and/or > remove the directory /var/spool/uucppublic. > > Other aspects of impact: > > On Debian Linux systems, functions that normally run as user nobody > may include the entries for finger and ident in /etc/inetd.conf, > and the updatedb entry in /etc/cron.daily/find. Unauthorized users > maybe be able to interfere with these functions. There may also be > other software configured to run as user nobody, e.g., httpd. > > On SunOS systems, having the uid of uucp may allow you to interfere > with uucp networking. Also, it is possible that the directory > /var/spool/uucppublic is on an NFS filesystem. In this case, a > user able to create /var/spool/uucppublic/.ssh/authorized_keys from > one host may then be able to login to other hosts that his own > account is not permitted to access, perhaps including file servers. > > Matt Power > mhpower@mit.edu > -- > > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > N e l s o n M u r i l o > Pangeia Informatica - Provedor de solucoes Internet. > http://www.pangeia.com.br > http://www.bluesky.net/pangeia > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > > > > >