From owner-freebsd-security@FreeBSD.ORG Sun Mar 1 11:57:30 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2FF41065672 for ; Sun, 1 Mar 2009 11:57:30 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 660FD8FC24 for ; Sun, 1 Mar 2009 11:57:30 +0000 (UTC) (envelope-from des@des.no) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 7FE656D43F; Sun, 1 Mar 2009 11:57:29 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 64A53844C1; Sun, 1 Mar 2009 12:57:29 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ivan Grover References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> <86eixnfwr2.fsf@ds4.des.no> <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> Date: Sun, 01 Mar 2009 12:57:29 +0100 In-Reply-To: <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> (Ivan Grover's message of "Fri, 27 Feb 2009 19:48:41 +0530") Message-ID: <86k579h2vq.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: PAM rules inside pam.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Mar 2009 11:57:30 -0000 Ivan Grover writes: > I have my PAM rules for my service as > > auth required /lib/security/pam_securetty.so > auth required pam_stack.so service=3Dsystem-auth > auth required /lib/security/pam_nologin.so What is pam_stack supposed to do? > I have checked the username, password passed to PAM module by changing the > sources of pam_nologin.so, they are proper. I didnt had sources for > pam_unix, so iam not able to detect the exact problem. Uh, they're in the source tree along with everything else. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sun Mar 1 12:02:55 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F3B2E106578E for ; Sun, 1 Mar 2009 12:02:54 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id A40138FC1B for ; Sun, 1 Mar 2009 12:02:54 +0000 (UTC) (envelope-from des@des.no) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 73B2A6D43F; Sun, 1 Mar 2009 12:02:53 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 547D1844DE; Sun, 1 Mar 2009 13:02:53 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ivan Grover References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> <86eixnfwr2.fsf@ds4.des.no> <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> <670f29e20902270810h22adc102rd9500d74208b1f11@mail.gmail.com> Date: Sun, 01 Mar 2009 13:02:53 +0100 In-Reply-To: <670f29e20902270810h22adc102rd9500d74208b1f11@mail.gmail.com> (Ivan Grover's message of "Fri, 27 Feb 2009 21:40:42 +0530") Message-ID: <86fxhxh2mq.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: PAM rules inside pam.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Mar 2009 12:03:13 -0000 Ivan Grover writes: > I debugged pam_unix aswell, it looks like crypt function is giving > different strings for telnet and my application with same passwd > string and salt. So i think the issue could be with crypt library > linked telnet and my application. > please let me know your thoughts There's not much I can say (or think) since you still haven't told me what you upgraded *from* and *to*, but I doubt very much that there is anything wrong with crypt(). The only two possibilities I can think of are a) your application calls set_crypt_format() with an incorrect argument, or b) your application contains an alternate (incorrect) implementation of crypt(), or is linked to a library that does. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sun Mar 1 23:46:44 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C8CF0106564A for ; Sun, 1 Mar 2009 23:46:44 +0000 (UTC) (envelope-from healey.rich@itreign.com) Received: from mail.psych0tik.net (115-69-7-62.dyn.comcen.net.au [115.69.7.62]) by mx1.freebsd.org (Postfix) with ESMTP id 2AEF68FC26 for ; Sun, 1 Mar 2009 23:46:38 +0000 (UTC) (envelope-from healey.rich@itreign.com) Received: from XeniaVista (CPE-61-9-142-180.static.vic.bigpond.net.au [61.9.142.180]) by mail.psych0tik.net (Postfix) with ESMTPA id F3C2E15EC12 for ; Mon, 2 Mar 2009 10:28:51 +1100 (EST) From: "Rich Healey" To: References: <200902090957.27318.mail@maxlor.com> <20090209170550.GA60223@hobbes.ustdmz.roe.ch> <20090209134738.G15166@treehorn.dfmm.org> <20090209224806.GB63675@hobbes.ustdmz.roe.ch> <20090211180709.GB1467@server.vk2pj.dyndns.org> In-Reply-To: <20090211180709.GB1467@server.vk2pj.dyndns.org> Date: Mon, 2 Mar 2009 10:28:49 +1100 Message-ID: <006001c99ac5$7ad42c90$707c85b0$@rich@itreign.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcmMc6OP4s289omAQFu0yOF/UqoDZQOUYcfw Content-Language: en-au X-Mailman-Approved-At: Sun, 01 Mar 2009 23:49:29 +0000 Subject: RE: OPIE considered insecure X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Mar 2009 23:46:45 -0000 I've been reading this thread with great interest. At present my primary server is ssh keys only, which is all well and good, to login I bounce to a node that allows passwords and then to my server, but this is still not ideal. It just eliminates a very small attach surface. I'm thinking about implementing OPIE, but after reading this I'm not so sure. What's consensus on the best approach to one time logins? -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Peter Jeremy Sent: Thursday, 12 February 2009 5:07 AM To: Lyndon Nerenberg Cc: freebsd-security@freebsd.org Subject: Re: OPIE considered insecure On 2009-Feb-09 15:30:33 -0800, Lyndon Nerenberg wrote: > From what you're describing, I would be more inclined to carry a > bootable OS on that USB stick and reboot into that. Keep in mind that libraries, internet cafes etc aren't going to be keen on you turning up with some (to them) random USB stick and wanting to reboot their pride-and-joy off it. I suspect your choices are to either use OPIE (or some adaption thereof) with ssh on an untrusted computer and assume that anything you type will be logged or carry your own trusted computer and use some form of wireless (3G, NextG etc) to communicate with your systems. Note that using very large sequence numbers should slow down an attacker (though only linerarly) since they still need to iterate MD5 by that many rounds. -- Peter Jeremy From owner-freebsd-security@FreeBSD.ORG Mon Mar 2 02:32:54 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8AC6E106566C for ; Mon, 2 Mar 2009 02:32:54 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 779D58FC17 for ; Mon, 2 Mar 2009 02:32:54 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: by strawberry.noncombatant.org (Postfix, from userid 1001) id 29410866D77; Sun, 1 Mar 2009 18:14:15 -0800 (PST) Date: Sun, 1 Mar 2009 18:14:15 -0800 From: Chris Palmer To: freebsd-security@freebsd.org Message-ID: <20090302021415.GU5602@noncombatant.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i Subject: Re: OPIE considered insecure X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 02:32:54 -0000 Rich Healey writes: > I'm thinking about implementing OPIE, but after reading this I'm not so > sure. What's consensus on the best approach to one time logins? Why are people logging into their remote servers from assumed-untrustworthy clients at all? From owner-freebsd-security@FreeBSD.ORG Mon Mar 2 03:21:05 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CF211065673 for ; Mon, 2 Mar 2009 03:21:05 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.175]) by mx1.freebsd.org (Postfix) with ESMTP id E6FA88FC27 for ; Mon, 2 Mar 2009 03:21:04 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: by wf-out-1314.google.com with SMTP id 27so2113597wfd.7 for ; Sun, 01 Mar 2009 19:21:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=wWvnSdeIMwLEi/2R8o8Y5WcDLGlpFifD9CrNAa12eNQ=; b=hx/O/xhEw0gAaaJRJ/mSIYpBKHutJIuQjERlK9XWzawQOTv/2+D/DtZ6OIo5xr7ssQ V/6tfjhkrfWMwmw+h9LaSdbDD6SythkJ5wu0Z3XvBa9s6/APuuHlcB7IpYtnVkV40gmp d0RO8lxmH/0cnK1Ytne41RNVJfdKGMeTfXG+A= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=t+4NaKg+EN/xODwka1bBii03qepg/O3rqZmFQwqlEg0OK7RsYWD+zDHow2i4ib8dD1 woYYWChLdj+9deQz7OuysVboO0ZvQ7sCMbK5xaYQ6xmQrebOwH61DzBRyRg/nUc0W917 c9ocHTVH2nMd/TFRircm/OfsoC9KnDO7lCQkU= MIME-Version: 1.0 Received: by 10.142.76.15 with SMTP id y15mr2742769wfa.263.1235962398326; Sun, 01 Mar 2009 18:53:18 -0800 (PST) In-Reply-To: <20090302021415.GU5602@noncombatant.org> References: <20090302021415.GU5602@noncombatant.org> Date: Mon, 2 Mar 2009 11:53:18 +0900 Message-ID: From: Daniel Marsh To: Chris Palmer , freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: OPIE considered insecure X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 03:21:05 -0000 Because they are a clever bunch On 3/2/09, Chris Palmer wrote: > Rich Healey writes: > >> I'm thinking about implementing OPIE, but after reading this I'm not so >> sure. What's consensus on the best approach to one time logins? > > Why are people logging into their remote servers from assumed-untrustworthy > clients at all? > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- Sent from my mobile device http://buymeahouse.stiw.org/ From owner-freebsd-security@FreeBSD.ORG Mon Mar 2 04:52:38 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C312D10656BA for ; Mon, 2 Mar 2009 04:52:38 +0000 (UTC) (envelope-from erratic@devel.ws) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.238]) by mx1.freebsd.org (Postfix) with ESMTP id A738B8FC2A for ; Mon, 2 Mar 2009 04:52:38 +0000 (UTC) (envelope-from erratic@devel.ws) Received: by rv-out-0506.google.com with SMTP id f6so2342313rvb.43 for ; Sun, 01 Mar 2009 20:52:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.140.201.8 with SMTP id y8mr2713667rvf.126.1235967787015; Sun, 01 Mar 2009 20:23:07 -0800 (PST) Date: Sun, 1 Mar 2009 20:23:06 -0800 Message-ID: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com> From: Paige Thompson To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Trusted Path Execution X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 04:52:39 -0000 I would like to know that there is or is not a way to prevent users from executing binaries that are not owned by root or that the user is in a particular group. Is this something I can achieve with TrustedBSD's MAC framework? From owner-freebsd-security@FreeBSD.ORG Mon Mar 2 05:21:17 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92437106564A for ; Mon, 2 Mar 2009 05:21:17 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.174]) by mx1.freebsd.org (Postfix) with ESMTP id 67C348FC15 for ; Mon, 2 Mar 2009 05:21:17 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: by wf-out-1314.google.com with SMTP id 27so2156079wfd.7 for ; Sun, 01 Mar 2009 21:21:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=n0gJBSEDWDGGNvq/7u97pBqay8S+r9PrkOq3ghwRuRI=; b=OaTVJ9h66mWOrkVVzoEgbZsEg0NbvbLtd/fo4Ebn0bPKGEpcC3Jgx+qUllm7oWUJoa DTEVCl4nYDJYnyF3YOKgUPcFObRb6pCt8+sZrQxpWbW0nyJhFs1KlzAlHprZvMen2Qwu 7F2CINSNQVHMIdrQdsM/zkBY5FEQrQXRsPZ6M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=g7zUgVEVwLzgs7DX8E49qkrPVv93puhtA3U1DTOj1446Q0OwliuZ2i4EDsk7WEE65e pqyIocAKgnV8i/Ep5085ot7ZKO94I0/9w88IdnYRkFcRMBmQDo6wT+oOfyu8TEoTNJ+r EyqOYsVM3rkG+HVcjRD4Xq9J7ML5FZorLhxvE= MIME-Version: 1.0 Received: by 10.142.203.19 with SMTP id a19mr2800974wfg.310.1235971276204; Sun, 01 Mar 2009 21:21:16 -0800 (PST) In-Reply-To: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com> References: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com> Date: Mon, 2 Mar 2009 14:21:16 +0900 Message-ID: From: Daniel Marsh To: Paige Thompson , freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: Trusted Path Execution X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 05:21:17 -0000 1 set the noexec mount option on any filesystem that you don't want executanles running on. 2 use acls to prevent execution of files, the bsd Mac framework is the way to go Ie remove executable bit on all files for everyone and leave hoe owner and group then add users to the necessary groups Only issue is monitoring newly created files and the bits set, default umask can help Regards Daniel Regards Daniel On 3/2/09, Paige Thompson wrote: > I would like to know that there is or is not a way to prevent users from > executing binaries that are not owned by root or that the user is in a > particular group. Is this something I can achieve with TrustedBSD's MAC > framework? > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- Sent from my mobile device http://buymeahouse.stiw.org/ From owner-freebsd-security@FreeBSD.ORG Mon Mar 2 13:10:06 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20B671065672 for ; Mon, 2 Mar 2009 13:10:06 +0000 (UTC) (envelope-from mail@maxlor.com) Received: from mxout006.mail.hostpoint.ch (mxout006.mail.hostpoint.ch [217.26.49.185]) by mx1.freebsd.org (Postfix) with ESMTP id C9E928FC15 for ; Mon, 2 Mar 2009 13:10:05 +0000 (UTC) (envelope-from mail@maxlor.com) Received: from [10.0.2.10] (helo=asmtp001.mail.hostpoint.ch) by mxout006.mail.hostpoint.ch with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1Le7uG-000Awz-8q; Mon, 02 Mar 2009 14:10:04 +0100 Received: from [82.136.101.181] (helo=maxlor.mine.nu) by asmtp001.mail.hostpoint.ch with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1Le7uE-000MQ1-Nw; Mon, 02 Mar 2009 14:10:02 +0100 Received: from localhost (unknown [127.0.0.1]) by maxlor.mine.nu (Postfix) with ESMTP id 5C4872E5F0; Mon, 2 Mar 2009 14:10:02 +0100 (CET) X-Authenticated-Sender-Id: mail@maxlor.com X-Virus-Scanned: amavisd-new at atlantis.intranet Received: from maxlor.mine.nu ([127.0.0.1]) by localhost (atlantis.intranet [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ekmvHPc9a635; Mon, 2 Mar 2009 14:10:02 +0100 (CET) Received: from [192.168.10.159] (pub212004072186.fx-hfc.datazug.ch [212.4.72.186]) by maxlor.mine.nu (Postfix) with ESMTPSA id F03C52E5E7; Mon, 2 Mar 2009 14:10:01 +0100 (CET) From: Benjamin Lutz To: freebsd-security@freebsd.org Date: Mon, 2 Mar 2009 14:09:59 +0100 User-Agent: KMail/1.9.9 References: <20090302021415.GU5602@noncombatant.org> In-Reply-To: <20090302021415.GU5602@noncombatant.org> X-Face: $Ov27?7*N,h60fIEfNJdb!m,@#4T/d; 1hw|W0zvsHM(a$Yn6BYQ0^SEEXvi8>D`|V*F"=?utf-8?q?=5F+=0A=09R2?=@Aq>+mNb4`,'[[%z9v0Fa~]AD1}xQO3|>b.z&}l#R-_(P`?@Mz"kS; XC>Eti,i3>%@=?utf-8?q?g=3F=0A=094f?=,\c7|Ghwb&ky$b2PJ^\0b83NkLsFKv|smL/cI4UD%Tu8alAD MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200903021410.00093.mail@maxlor.com> Cc: Chris Palmer Subject: Re: OPIE considered insecure X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 13:10:06 -0000 On Monday 02 March 2009 03:14:15 Chris Palmer wrote: > Why are people logging into their remote servers from > assumed-untrustworthy clients at all? Because the inconvience of not using whatever service or data the server is providing is considered greater than the security risk. Cheers Benjamin From owner-freebsd-security@FreeBSD.ORG Mon Mar 2 18:05:07 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB82A10656CB for ; Mon, 2 Mar 2009 18:05:07 +0000 (UTC) (envelope-from freebsd-security@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 637B58FC3A for ; Mon, 2 Mar 2009 18:05:07 +0000 (UTC) (envelope-from freebsd-security@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1LeC2g-0001TK-CV for freebsd-security@freebsd.org; Mon, 02 Mar 2009 17:35:02 +0000 Received: from elehack.net ([216.243.177.100]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 02 Mar 2009 17:35:02 +0000 Received: from michael by elehack.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 02 Mar 2009 17:35:02 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: Michael Ekstrand Date: Sun, 01 Mar 2009 21:08:50 -0600 Lines: 15 Message-ID: <87sklwiptp.fsf@jehiel.elehack.net> References: <20090302021415.GU5602@noncombatant.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: elehack.net User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.90 (gnu/linux) Cancel-Lock: sha1:pjAETzeehROrB+E3cKstPapkhKA= Sender: news Subject: Re: OPIE considered insecure X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 18:05:08 -0000 Chris Palmer writes: > Rich Healey writes: >> I'm thinking about implementing OPIE, but after reading this I'm not so >> sure. What's consensus on the best approach to one time logins? > > Why are people logging into their remote servers from assumed-untrustworthy > clients at all? Simple use case: checking e-mail from the library/Internet cafe/relative's house. With Mutt or Gnus. - Michael -- mouse, n: A device for pointing at the xterm in which you want to type. From owner-freebsd-security@FreeBSD.ORG Mon Mar 2 21:19:32 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A85BF106564A for ; Mon, 2 Mar 2009 21:19:32 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 8C7388FC1A for ; Mon, 2 Mar 2009 21:19:32 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: by strawberry.noncombatant.org (Postfix, from userid 1001) id 1522A866D83; Mon, 2 Mar 2009 13:19:32 -0800 (PST) Date: Mon, 2 Mar 2009 13:19:32 -0800 From: Chris Palmer To: freebsd-security@freebsd.org Message-ID: <20090302211932.GZ5602@noncombatant.org> References: <20090302021415.GU5602@noncombatant.org> <200903021410.00093.mail@maxlor.com> <20090302021415.GU5602@noncombatant.org> <87sklwiptp.fsf@jehiel.elehack.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200903021410.00093.mail@maxlor.com> <87sklwiptp.fsf@jehiel.elehack.net> User-Agent: Mutt/1.4.2.3i Subject: Re: OPIE considered insecure X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 21:19:32 -0000 Michael Ekstrand writes: > Simple use case: checking e-mail from the library/Internet > cafe/relative's house. With Mutt or Gnus. So we're talking about a case in which we don't want attackers who own the untrustworthy client to know our password, but we are okay with them reading and forging the shell commands, emails, passwords, et c. that we use the SSH session for? Benjamin Lutz writes: > Because the inconvience of not using whatever service or data the server is > providing is considered greater than the security risk. But isn't regular password authentication the most convenient of all? If we've prioritized the ability to log in from any computer higher than we have prioritized data confidentiality or integrity, one-time password schemes are just bureaucratic overhead. The password is not the ultimate asset -- the data is. The password just lets you get it. If the attacker can get the data by other means (screenshots of the desktop, sending key events to the terminal window, et c.), that's fine by him. From owner-freebsd-security@FreeBSD.ORG Mon Mar 2 21:49:49 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46F671065715 for ; Mon, 2 Mar 2009 21:49:49 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from albert.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.freebsd.org (Postfix) with ESMTP id EBCCD8FC1D for ; Mon, 2 Mar 2009 21:49:48 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from albert.catwhisker.org (localhost [127.0.0.1]) by albert.catwhisker.org (8.14.3/8.14.3) with ESMTP id n22LUYJj091758; Mon, 2 Mar 2009 13:30:34 -0800 (PST) (envelope-from david@albert.catwhisker.org) Received: (from david@localhost) by albert.catwhisker.org (8.14.3/8.14.3/Submit) id n22LUYoW091757; Mon, 2 Mar 2009 13:30:34 -0800 (PST) (envelope-from david) Date: Mon, 2 Mar 2009 13:30:34 -0800 From: David Wolfskill To: Chris Palmer Message-ID: <20090302213034.GM65706@albert.catwhisker.org> Mail-Followup-To: David Wolfskill , Chris Palmer , freebsd-security@freebsd.org References: <20090302021415.GU5602@noncombatant.org> <200903021410.00093.mail@maxlor.com> <20090302021415.GU5602@noncombatant.org> <87sklwiptp.fsf@jehiel.elehack.net> <20090302211932.GZ5602@noncombatant.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bIUMYB+SOIcERsee" Content-Disposition: inline In-Reply-To: <20090302211932.GZ5602@noncombatant.org> User-Agent: Mutt/1.4.2.3i Cc: freebsd-security@freebsd.org Subject: Re: OPIE considered insecure X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Mar 2009 21:49:49 -0000 --bIUMYB+SOIcERsee Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 02, 2009 at 01:19:32PM -0800, Chris Palmer wrote: > ... > Benjamin Lutz writes: >=20 > > Because the inconvience of not using whatever service or data the serve= r is=20 > > providing is considered greater than the security risk. >=20 > But isn't regular password authentication the most convenient of all? Not in my experience, no. I configure ~/.xsession to run "eval `ssh-agent`" and "ssh-add" very early, so all processes run under that environment get the benefit of the cached authentication credentials I thus set up. Then I can login to most machines I care about directly, without requiring additional authentication. To me, that's far more convenient than ensuring that I'm around & paying attention whenever some random process (e.g., a CVS update) wants a password. And I strongly suspect that it's better security than a password. For my externally-visible sshd, there's no way I'd use a reusable password for authentication. As things presently stand, I only permit SSH public key authentication for that use. > ... Peace, david --=20 David H. Wolfskill david@catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --bIUMYB+SOIcERsee Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkmsT/kACgkQmprOCmdXAD2ivQCeKB6/L0JQU62x1DEwVJOF12Wk hj8Anjb+SjyCQqCBUCjHuiGDCk2XPyeo =lFaY -----END PGP SIGNATURE----- --bIUMYB+SOIcERsee-- From owner-freebsd-security@FreeBSD.ORG Tue Mar 3 00:32:57 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 740531065673 for ; Tue, 3 Mar 2009 00:32:57 +0000 (UTC) (envelope-from healey.rich@itreign.com) Received: from mail.psych0tik.net (115-69-7-62.dyn.comcen.net.au [115.69.7.62]) by mx1.freebsd.org (Postfix) with ESMTP id EE25E8FC16 for ; Tue, 3 Mar 2009 00:32:56 +0000 (UTC) (envelope-from healey.rich@itreign.com) Received: from XeniaVista (CPE-61-9-142-180.static.vic.bigpond.net.au [61.9.142.180]) by mail.psych0tik.net (Postfix) with ESMTPA id D439315EC12 for ; Tue, 3 Mar 2009 11:32:54 +1100 (EST) From: "Rich Healey" To: References: <20090302021415.GU5602@noncombatant.org> In-Reply-To: <20090302021415.GU5602@noncombatant.org> Date: Tue, 3 Mar 2009 11:32:51 +1100 Message-ID: <004201c99b97$977935c0$c66ba140$@rich@itreign.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acma30hpgxe4/jqcQSGjBgPp5bJaOwAuDkyQ Content-Language: en-au X-Mailman-Approved-At: Tue, 03 Mar 2009 00:55:33 +0000 Subject: RE: OPIE considered insecure X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Mar 2009 00:32:57 -0000 -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Chris Palmer Sent: Monday, 2 March 2009 1:14 PM To: freebsd-security@freebsd.org Subject: Re: OPIE considered insecure Rich Healey writes: > I'm thinking about implementing OPIE, but after reading this I'm not so > sure. What's consensus on the best approach to one time logins? Why are people logging into their remote servers from assumed-untrustworthy clients at all? _______________ Because a truly secure machine (ie one that's switched off) isn't much use to me. From owner-freebsd-security@FreeBSD.ORG Tue Mar 3 02:31:09 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B89A61065672 for ; Tue, 3 Mar 2009 02:31:09 +0000 (UTC) (envelope-from jon.passki@hursk.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.28]) by mx1.freebsd.org (Postfix) with ESMTP id 742478FC0A for ; Tue, 3 Mar 2009 02:31:09 +0000 (UTC) (envelope-from jon.passki@hursk.com) Received: by yx-out-2324.google.com with SMTP id 31so1455692yxl.13 for ; Mon, 02 Mar 2009 18:31:08 -0800 (PST) Received: by 10.142.174.18 with SMTP id w18mr3321608wfe.239.1236046200921; Mon, 02 Mar 2009 18:10:00 -0800 (PST) Received: from ?10.1.2.34? (v-209-98-139-33.mn.visi.com [209.98.139.33]) by mx.google.com with ESMTPS id 30sm14264915wfd.35.2009.03.02.18.09.59 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 02 Mar 2009 18:10:00 -0800 (PST) References: <20090302021415.GU5602@noncombatant.org> <004201c99b97$977935c0$c66ba140$@rich@itreign.com> Message-Id: <4A6B8988-1B09-4B5F-BE82-BAE5B1A4673F@hursk.com> From: Jon Passki To: Rich Healey In-Reply-To: <004201c99b97$977935c0$c66ba140$@rich@itreign.com> Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Mailer: iPhone Mail (5H11) Mime-Version: 1.0 (iPhone Mail 5H11) Date: Mon, 2 Mar 2009 20:09:55 -0600 Cc: "" Subject: Re: OPIE considered insecure X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Mar 2009 02:31:10 -0000 Could we please kill this thread if it does not have anymore to contribute to FreeBSD security specifically? Jon On Mar 2, 2009, at 6:32 PM, "Rich Healey" wrote: > > > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Chris Palmer > Sent: Monday, 2 March 2009 1:14 PM > To: freebsd-security@freebsd.org > Subject: Re: OPIE considered insecure > > Rich Healey writes: > >> I'm thinking about implementing OPIE, but after reading this I'm >> not so >> sure. What's consensus on the best approach to one time logins? > > Why are people logging into their remote servers from assumed- > untrustworthy > clients at all? > _______________ > > Because a truly secure machine (ie one that's switched off) isn't > much use > to me. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " From owner-freebsd-security@FreeBSD.ORG Wed Mar 4 05:09:19 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BAFD9106566C for ; Wed, 4 Mar 2009 05:09:19 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.172]) by mx1.freebsd.org (Postfix) with ESMTP id 8AEC28FC08 for ; Wed, 4 Mar 2009 05:09:19 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by wf-out-1314.google.com with SMTP id 27so3230960wfd.7 for ; Tue, 03 Mar 2009 21:09:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=qqI2QS+/I0KIkXsk2fMNdiQF3ampgVyp57gaST1ywyc=; b=Y4zqr0CPPpFM2AGc2aTHctPSlK0l0y3Rn10v87jtmuBkWZNWgBxlkbml2F0wTwMkgN w6ELHfaG7/tUdlmdLfeCyIFmZWq2hrAJ4gpLK9TMk9aMrmUhmWqdW+L8GxxBAiyGH1vj g4oVKZQppA4U7e4egQFex+f3+Kyb3twwzdcGU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=G+2lhav+EDBeKQTYCaRtzS87C8qPzZsAsQVTFlKUe6MgCZ+66wguFgI16BHHqvrmRq pM/EGZsRatFwsZ3wa88Cox8gr7X5bVhqzU8CyWzjTnfYFMcSNk7YpC7+X8E/brEmwarP dfgbOt7aoYc26UuGPk+wpmNQxrvwc7LjjTWKo= MIME-Version: 1.0 Received: by 10.142.162.9 with SMTP id k9mr3980229wfe.309.1236143357104; Tue, 03 Mar 2009 21:09:17 -0800 (PST) In-Reply-To: <86fxhxh2mq.fsf@ds4.des.no> References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> <86eixnfwr2.fsf@ds4.des.no> <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> <670f29e20902270810h22adc102rd9500d74208b1f11@mail.gmail.com> <86fxhxh2mq.fsf@ds4.des.no> Date: Wed, 4 Mar 2009 10:39:17 +0530 Message-ID: <670f29e20903032109r7f577b82k59fcec55b0452385@mail.gmail.com> From: Ivan Grover To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: PAM rules inside pam.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2009 05:09:20 -0000 Thanks for your valuable inputs. The PAM module information is not yet clea= r for me. The pam_unix, which i debugged was from Linux-PAM-0.78 (www.*linux* fromscratch.org/blfs/view/blfs-book-6.0-html/postlfs/*linux*_*pam*.html ) I think the libraries too belong to the same library. I apologize=EF=BF=BD = if i asked this query to wrong forum. Currently i dont see any issues with crypt library as you have suggested. I will plan to upgrade the PAM library and see how it goes. Thanks a lot On Sun, Mar 1, 2009 at 5:32 PM, Dag-Erling Sm=C3=B8rgrav wrote= : > Ivan Grover writes: > > I debugged pam_unix aswell, it looks like crypt function is giving > > different strings for telnet and my application with same passwd > > string and salt. So i think the issue could be with crypt library > > linked telnet and my application. > > please let me know your thoughts > > There's not much I can say (or think) since you still haven't told me > what you upgraded *from* and *to*, but I doubt very much that there is > anything wrong with crypt(). The only two possibilities I can think of > are a) your application calls set_crypt_format() with an incorrect > argument, or b) your application contains an alternate (incorrect) > implementation of crypt(), or is linked to a library that does. > > DES > -- > Dag-Erling Sm=C3=B8rgrav - des@des.no > From owner-freebsd-security@FreeBSD.ORG Wed Mar 4 11:43:19 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 359CA106564A for ; Wed, 4 Mar 2009 11:43:19 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id EA7E08FC16 for ; Wed, 4 Mar 2009 11:43:18 +0000 (UTC) (envelope-from des@des.no) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 0BB076D43F; Wed, 4 Mar 2009 11:43:18 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id EBEE0844C4; Wed, 4 Mar 2009 12:43:17 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ivan Grover References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> <86eixnfwr2.fsf@ds4.des.no> <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> <670f29e20902270810h22adc102rd9500d74208b1f11@mail.gmail.com> <86fxhxh2mq.fsf@ds4.des.no> <670f29e20903032109r7f577b82k59fcec55b0452385@mail.gmail.com> Date: Wed, 04 Mar 2009 12:43:17 +0100 In-Reply-To: <670f29e20903032109r7f577b82k59fcec55b0452385@mail.gmail.com> (Ivan Grover's message of "Wed, 4 Mar 2009 10:39:17 +0530") Message-ID: <86tz69a4yy.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: PAM rules inside pam.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2009 11:43:19 -0000 Ivan Grover writes: > Thanks for your valuable inputs. The PAM module information is not yet cl= ear > for me. The pam_unix, which i debugged was from Linux-PAM-0.78 (www.*linu= x* > fromscratch.org/blfs/view/blfs-book-6.0-html/postlfs/*linux*_*pam*.html ) Why? This is not what FreeBSD uses. > I think the libraries too belong to the same library. I apologize=EF=BF= =BD if i > asked this query to wrong forum. FreeBSD hasn't used Linux-PAM since 2002 or so. > Currently i dont see any issues with crypt library as you have suggested.= I > will plan to upgrade the PAM library and see how it goes. Upgrade what from what to what? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Mar 4 14:55:45 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A1C110656DC for ; Wed, 4 Mar 2009 14:55:45 +0000 (UTC) (envelope-from db@danielbond.org) Received: from mail.nsn.no (mailtwo.nsn.no [62.89.38.161]) by mx1.freebsd.org (Postfix) with SMTP id E3F6C8FC22 for ; Wed, 4 Mar 2009 14:55:44 +0000 (UTC) (envelope-from db@danielbond.org) Received: (qmail 83641 invoked by uid 0); 4 Mar 2009 14:29:04 -0000 Received: from unknown (HELO ?172.16.3.90?) (85.95.44.187) by mail.nsn.no with SMTP; 4 Mar 2009 14:29:04 -0000 Message-Id: <268B6D1D-474F-4D59-AA2D-C495F2F55B67@danielbond.org> From: Daniel Bond To: roam@FreeBSD.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Wed, 4 Mar 2009 15:29:04 +0100 X-Mailer: Apple Mail (2.930.3) Cc: freebsd-security@freebsd.org Subject: New CURL Advisory (fixed in 7.19.4) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2009 14:55:45 -0000 Hi, Noticed quite an ugly bug in CURL today: http://curl.haxx.se/docs/adv_20090303.html .. If you didn't see this allready :) here is also the CVE entry for it: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037 Thanks to the freebsd security team for doing great work, and Neil Blakey-Milner for maintaining this port. Cheers! DB. From owner-freebsd-security@FreeBSD.ORG Wed Mar 4 16:49:17 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9DF6106564A for ; Wed, 4 Mar 2009 16:49:17 +0000 (UTC) (envelope-from roam@ringlet.net) Received: from straylight.ringlet.net (office.hoster.bg [78.90.131.77]) by mx1.freebsd.org (Postfix) with SMTP id A048A8FC1B for ; Wed, 4 Mar 2009 16:49:16 +0000 (UTC) (envelope-from roam@ringlet.net) Received: (qmail 1372 invoked by uid 1000); 4 Mar 2009 16:22:32 -0000 Date: Wed, 4 Mar 2009 18:22:31 +0200 From: Peter Pentchev To: Daniel Bond Message-ID: <20090304162231.GA1043@straylight.m.ringlet.net> References: <268B6D1D-474F-4D59-AA2D-C495F2F55B67@danielbond.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt" Content-Disposition: inline In-Reply-To: <268B6D1D-474F-4D59-AA2D-C495F2F55B67@danielbond.org> User-Agent: Mutt/1.5.19 (2009-01-05) Cc: freebsd-security@freebsd.org Subject: Re: New CURL Advisory (fixed in 7.19.4) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2009 16:49:18 -0000 --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 04, 2009 at 03:29:04PM +0100, Daniel Bond wrote: > Hi, >=20 > Noticed quite an ugly bug in CURL today: > http://curl.haxx.se/docs/adv_20090303.html=20 > .. If you didn't see this allready :) >=20 > here is also the CVE entry for it: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2009-0037 >=20 > Thanks to the freebsd security team for doing great work, and Neil =20 > Blakey-Milner for maintaining this port. Yes, thanks for reporting this :) Actually, Mark Foster had already filed a PR about this, and I committed the VuXML entry a while ago. I'll update the curl port ASAP now. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@space.bg roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence was in the past tense. --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iEYEARECAAYFAkmuqscACgkQ7Ri2jRYZRVMa2QCeIQmyWEwHJrYO+Ntnb/XLISad Q1kAoJFUSeS7KdSc31GLEWM7orXyFIrn =/bK7 -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt-- From owner-freebsd-security@FreeBSD.ORG Wed Mar 4 21:25:31 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0AECC1065692 for ; Wed, 4 Mar 2009 21:25:30 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 99EEC8FC1C for ; Wed, 4 Mar 2009 21:25:30 +0000 (UTC) (envelope-from des@des.no) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 9D3886D449; Wed, 4 Mar 2009 21:25:29 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 83C0084508; Wed, 4 Mar 2009 22:25:29 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ivan Grover References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> <86eixnfwr2.fsf@ds4.des.no> <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> <670f29e20902270810h22adc102rd9500d74208b1f11@mail.gmail.com> <86fxhxh2mq.fsf@ds4.des.no> <670f29e20903032109r7f577b82k59fcec55b0452385@mail.gmail.com> <86tz69a4yy.fsf@ds4.des.no> <670f29e20903040447u3d19ba47g10201e267a43875e@mail.gmail.com> Date: Wed, 04 Mar 2009 22:25:29 +0100 In-Reply-To: <670f29e20903040447u3d19ba47g10201e267a43875e@mail.gmail.com> (Ivan Grover's message of "Wed, 4 Mar 2009 18:17:35 +0530") Message-ID: <86eixd9e0m.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: PAM rules inside pam.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2009 21:25:32 -0000 Ivan Grover writes: > Dag-Erling Sm=C3=B8rgrav writes: > > Ivan Grover writes: > > > I will plan to upgrade the PAM library and see how it goes. > > Upgrade what from what to what? > from Linux-PAM-0.78 to Linux-PAM-1.0.3. Uh, so, why did you post to a FreeBSD mailing list? This has nothing to do with FreeBSD, since FreeBSD does not use Linux-PAM (not since 5.1 came out). And why didn't you answer this question the first time I asked it? Why did you not tell us right away which version of which library you were using, on which operating system? How can we answer your question if you won't tell us what the question is? Suggested reading: http://www.gerv.net/hacking/how-to-ask-good-questions/ DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Mar 6 02:15:35 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D4976106564A for ; Fri, 6 Mar 2009 02:15:35 +0000 (UTC) (envelope-from randy@psg.com) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by mx1.freebsd.org (Postfix) with ESMTP id B28188FC19 for ; Fri, 6 Mar 2009 02:15:35 +0000 (UTC) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=rmac.psg.com) by ran.psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1LfPb5-000IDb-3O for freebsd-security@freebsd.org; Fri, 06 Mar 2009 02:15:35 +0000 Received: from rmac.psg.com.psg.com (localhost [127.0.0.1]) by rmac.psg.com (Postfix) with ESMTP id 86D25CFFBBB for ; Fri, 6 Mar 2009 11:15:34 +0900 (JST) Date: Fri, 06 Mar 2009 11:15:34 +0900 Message-ID: From: Randy Bush To: freebsd-security@freebsd.org User-Agent: Wanderlust/2.15.5 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.7 Emacs/22.3 (i386-apple-darwin9.6.0) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Subject: emacs installs a lot of 777 directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2009 02:15:36 -0000 foo.on.you:/usr/local/share# find . -type d -perm 777 ./emacs/22.3/etc/tree-widget ./emacs/22.3/etc/tree-widget/folder ./emacs/22.3/etc/tree-widget/default ./emacs/22.3/etc/e ./emacs/22.3/etc/images ./emacs/22.3/etc/images/low-color ./emacs/22.3/etc/images/gnus ./emacs/22.3/etc/images/icons ./emacs/22.3/etc/images/gud ./emacs/22.3/etc/images/smilies ./emacs/22.3/etc/images/mail ./emacs/22.3/etc/images/ezimage ./emacs/22.3/lisp ./emacs/22.3/lisp/net ./emacs/22.3/lisp/progmodes ./emacs/22.3/lisp/calc ./emacs/22.3/lisp/emacs-lisp ./emacs/22.3/lisp/url ./emacs/22.3/lisp/emulation ./emacs/22.3/lisp/play ./emacs/22.3/lisp/erc ./emacs/22.3/lisp/term ./emacs/22.3/lisp/obsolete ./emacs/22.3/lisp/textmodes ./emacs/22.3/lisp/mail ./emacs/22.3/lisp/eshell ./emacs/22.3/lisp/calendar ./emacs/22.3/lisp/mh-e ./emacs/22.3/lisp/international ./emacs/22.3/lisp/gnus ./emacs/22.3/lisp/language ./emacs/22.3/leim/ja-dic ./emacs/22.3/leim/quail From owner-freebsd-security@FreeBSD.ORG Fri Mar 6 03:25:00 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1A8D106564A for ; Fri, 6 Mar 2009 03:25:00 +0000 (UTC) (envelope-from jhein@timing.com) Received: from Daffy.timing.com (mx2.timing.com [206.168.13.218]) by mx1.freebsd.org (Postfix) with ESMTP id 7B0158FC18 for ; Fri, 6 Mar 2009 03:25:00 +0000 (UTC) (envelope-from jhein@timing.com) Received: from gromit.timing.com (gromit.timing.com [206.168.13.209]) by Daffy.timing.com (8.13.1/8.13.1) with ESMTP id n262ubPx084785 for ; Thu, 5 Mar 2009 19:56:38 -0700 (MST) (envelope-from jhein@timing.com) Received: from gromit.timing.com (localhost [127.0.0.1]) by gromit.timing.com (8.14.3/8.14.3) with ESMTP id n262PtMs031361; Thu, 5 Mar 2009 19:25:55 -0700 (MST) (envelope-from jhein@gromit.timing.com) Received: (from jhein@localhost) by gromit.timing.com (8.14.3/8.14.3/Submit) id n262Ptvf031358; Thu, 5 Mar 2009 19:25:55 -0700 (MST) (envelope-from jhein) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <18864.35251.561178.43550@gromit.timing.com> Date: Thu, 5 Mar 2009 19:25:55 -0700 From: John Hein To: Randy Bush In-Reply-To: References: X-Mailer: VM 7.19 under Emacs 22.3.1 X-Virus-Scanned: ClamAV version 0.91.2, clamav-milter version 0.91.2 on Daffy.timing.com X-Virus-Status: Clean Cc: freebsd-security@freebsd.org Subject: Re: emacs installs a lot of 777 directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2009 03:25:01 -0000 Randy Bush wrote at 11:15 +0900 on Mar 6, 2009: > foo.on.you:/usr/local/share# find . -type d -perm 777 > ./emacs/22.3/etc/tree-widget > ./emacs/22.3/etc/tree-widget/folder > ./emacs/22.3/etc/tree-widget/default > ./emacs/22.3/etc/e > ./emacs/22.3/etc/images > ./emacs/22.3/etc/images/low-color > ./emacs/22.3/etc/images/gnus > ./emacs/22.3/etc/images/icons > ./emacs/22.3/etc/images/gud > ./emacs/22.3/etc/images/smilies > ./emacs/22.3/etc/images/mail > ./emacs/22.3/etc/images/ezimage > ./emacs/22.3/lisp > ./emacs/22.3/lisp/net > ./emacs/22.3/lisp/progmodes > ./emacs/22.3/lisp/calc > ./emacs/22.3/lisp/emacs-lisp > ./emacs/22.3/lisp/url > ./emacs/22.3/lisp/emulation > ./emacs/22.3/lisp/play > ./emacs/22.3/lisp/erc > ./emacs/22.3/lisp/term > ./emacs/22.3/lisp/obsolete > ./emacs/22.3/lisp/textmodes > ./emacs/22.3/lisp/mail > ./emacs/22.3/lisp/eshell > ./emacs/22.3/lisp/calendar > ./emacs/22.3/lisp/mh-e > ./emacs/22.3/lisp/international > ./emacs/22.3/lisp/gnus > ./emacs/22.3/lisp/language > ./emacs/22.3/leim/ja-dic > ./emacs/22.3/leim/quail Seems okay on my system (0755 for those dirs). Could it be something specific to yours? From owner-freebsd-security@FreeBSD.ORG Fri Mar 6 04:07:18 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 997D0106564A for ; Fri, 6 Mar 2009 04:07:18 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.177]) by mx1.freebsd.org (Postfix) with ESMTP id 339198FC08 for ; Fri, 6 Mar 2009 04:07:18 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: by wa-out-1112.google.com with SMTP id k34so190281wah.27 for ; Thu, 05 Mar 2009 20:07:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:organization:date:message-id :mime-version:x-mailer:content-transfer-encoding; bh=YNw/B5aYIETHMXGl69bDZLWPlq+AdhJzdXA3U/6Tgko=; b=IHxoEo5i6ScIMg3NOk0d1SMaMmazM+nHZ5aeiX+hor2wCzisGY2FbYGhCpeRc1od0M B8QllLBiA+ng4qn2pERR54s+phR5VNFF7MLdzkTm30W2Dzb/uql5OhqCWZye4XkfCI9Q Ea/6RZZ5Ao+YYKtGlGeNGCBXCBdj34BlK55Kw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:organization :date:message-id:mime-version:x-mailer:content-transfer-encoding; b=fI4PwmFHoub0UGy9I1Jgl2C/Lzp+N3rxWF+isn03fS65hoev3oHlsbQK+sfY8dw//h 1fAlC0psxisp+sByYiH/6h+G9xZuc/wn6NJynEImSvQ89cwSHYkSRp1rvd+pgZAkWzWs lHWh9/fHP8f9ZFjEUbSC+veTQG0Tw5G/QfrSM= Received: by 10.115.60.1 with SMTP id n1mr1219991wak.113.1236312437911; Thu, 05 Mar 2009 20:07:17 -0800 (PST) Received: from ?172.31.254.159? (brdr-r1.itma.com.au [218.214.217.114]) by mx.google.com with ESMTPS id t1sm1967477poh.7.2009.03.05.20.07.15 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 05 Mar 2009 20:07:17 -0800 (PST) From: Daniel Marsh To: Randy Bush In-Reply-To: References: Content-Type: text/plain Organization: STIW Date: Fri, 06 Mar 2009 13:04:24 +0900 Message-Id: <1236312264.7184.1.camel@yog-sothoth.rlyeh> Mime-Version: 1.0 X-Mailer: Evolution 2.24.1.1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: emacs installs a lot of 777 directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2009 04:07:18 -0000 On Fri, 2009-03-06 at 11:15 +0900, Randy Bush wrote: > foo.on.you:/usr/local/share# find . -type d -perm 777 > ./emacs/22.3/etc/tree-widget > ./emacs/22.3/etc/tree-widget/folder > ./emacs/22.3/etc/tree-widget/default > ./emacs/22.3/etc/e > ./emacs/22.3/etc/images > ./emacs/22.3/etc/images/low-color > ./emacs/22.3/etc/images/gnus > ./emacs/22.3/etc/images/icons > ./emacs/22.3/etc/images/gud > ./emacs/22.3/etc/images/smilies > ./emacs/22.3/etc/images/mail > ./emacs/22.3/etc/images/ezimage > ./emacs/22.3/lisp > ./emacs/22.3/lisp/net > ./emacs/22.3/lisp/progmodes > ./emacs/22.3/lisp/calc > ./emacs/22.3/lisp/emacs-lisp > ./emacs/22.3/lisp/url > ./emacs/22.3/lisp/emulation > ./emacs/22.3/lisp/play > ./emacs/22.3/lisp/erc > ./emacs/22.3/lisp/term > ./emacs/22.3/lisp/obsolete > ./emacs/22.3/lisp/textmodes > ./emacs/22.3/lisp/mail > ./emacs/22.3/lisp/eshell > ./emacs/22.3/lisp/calendar > ./emacs/22.3/lisp/mh-e > ./emacs/22.3/lisp/international > ./emacs/22.3/lisp/gnus > ./emacs/22.3/lisp/language > ./emacs/22.3/leim/ja-dic > ./emacs/22.3/leim/quail > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" Could this simply be an over promiscuous umask being set when Emacs was installed? ie. umask 000 rather than the default umask 022 for root? I know I get warnings if attempting to install a package with a umask 077 which means no-one except the installer can access the files. Do packages print a warning to screen if umask 000 is set? Regards, Daniel From owner-freebsd-security@FreeBSD.ORG Fri Mar 6 04:19:30 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D4CE1065670 for ; Fri, 6 Mar 2009 04:19:30 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.60.158]) by mx1.freebsd.org (Postfix) with ESMTP id ECD3B8FC0A for ; Fri, 6 Mar 2009 04:19:29 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: by syn.atarininja.org (Postfix, from userid 1001) id 73D7F5C2D; Thu, 5 Mar 2009 23:02:57 -0500 (EST) Date: Thu, 5 Mar 2009 23:02:57 -0500 From: Wesley Shields To: John Hein Message-ID: <20090306040257.GH59920@atarininja.org> References: <18864.35251.561178.43550@gromit.timing.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <18864.35251.561178.43550@gromit.timing.com> User-Agent: Mutt/1.5.19 (2009-01-05) Cc: Randy Bush , freebsd-security@freebsd.org Subject: Re: emacs installs a lot of 777 directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2009 04:19:30 -0000 On Thu, Mar 05, 2009 at 07:25:55PM -0700, John Hein wrote: > Randy Bush wrote at 11:15 +0900 on Mar 6, 2009: > > foo.on.you:/usr/local/share# find . -type d -perm 777 > > ./emacs/22.3/etc/tree-widget > > ./emacs/22.3/etc/tree-widget/folder > > ./emacs/22.3/etc/tree-widget/default > > ./emacs/22.3/etc/e > > ./emacs/22.3/etc/images > > ./emacs/22.3/etc/images/low-color > > ./emacs/22.3/etc/images/gnus > > ./emacs/22.3/etc/images/icons > > ./emacs/22.3/etc/images/gud > > ./emacs/22.3/etc/images/smilies > > ./emacs/22.3/etc/images/mail > > ./emacs/22.3/etc/images/ezimage > > ./emacs/22.3/lisp > > ./emacs/22.3/lisp/net > > ./emacs/22.3/lisp/progmodes > > ./emacs/22.3/lisp/calc > > ./emacs/22.3/lisp/emacs-lisp > > ./emacs/22.3/lisp/url > > ./emacs/22.3/lisp/emulation > > ./emacs/22.3/lisp/play > > ./emacs/22.3/lisp/erc > > ./emacs/22.3/lisp/term > > ./emacs/22.3/lisp/obsolete > > ./emacs/22.3/lisp/textmodes > > ./emacs/22.3/lisp/mail > > ./emacs/22.3/lisp/eshell > > ./emacs/22.3/lisp/calendar > > ./emacs/22.3/lisp/mh-e > > ./emacs/22.3/lisp/international > > ./emacs/22.3/lisp/gnus > > ./emacs/22.3/lisp/language > > ./emacs/22.3/leim/ja-dic > > ./emacs/22.3/leim/quail > > Seems okay on my system (0755 for those dirs). > Could it be something specific to yours? umask? -- WXS From owner-freebsd-security@FreeBSD.ORG Fri Mar 6 16:33:23 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 870DB106566B for ; Fri, 6 Mar 2009 16:33:23 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from mail-bw0-f164.google.com (mail-bw0-f164.google.com [209.85.218.164]) by mx1.freebsd.org (Postfix) with ESMTP id D3D798FC13 for ; Fri, 6 Mar 2009 16:33:22 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: by bwz8 with SMTP id 8so407753bwz.43 for ; Fri, 06 Mar 2009 08:33:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=bn8ww3xp9YKOHgFsGwjBEtEyDX1nsDWDO47UraCIc78=; b=W+cg+ub3ylMO8V3qgL+EopS3bKrqhHW06uAlYYF+aSwnRFTHbRsOC3dpM13f/4vOZU 8ejWoLe/3pA00le/w5I6ebMC9pSdPTNUzt2YQ8qfbUG2PkelOFlB0o+Tn8bs0KOLGSmJ U4/Ogu0zRjri8HXScyDZdbuol8LkSfNlKej3c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=EfZ1z7iu/dKzApha8CyIQCZTMbAMbTW4NxYk2Cy5L+yIYUPHqZ4Tc9pq4Jk5WY5HbC GSsx9A5kvLJahkt2/JOFs6JaYAyQSKDQy3pxdqzuix4XMM9v4k3a2U/WAjwF21A9U45m V3yztX+0UJbN+vahtLWkjA1flUYcx+dDYMlKE= MIME-Version: 1.0 Received: by 10.103.252.17 with SMTP id e17mr1145083mus.14.1236355949063; Fri, 06 Mar 2009 08:12:29 -0800 (PST) In-Reply-To: <20090306040257.GH59920@atarininja.org> References: <18864.35251.561178.43550@gromit.timing.com> <20090306040257.GH59920@atarininja.org> Date: Fri, 6 Mar 2009 17:12:28 +0100 Message-ID: <6101e8c40903060812r3b8720c2hf86c4089ef692506@mail.gmail.com> From: Oliver Pinter To: Wesley Shields Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Randy Bush , freebsd-security@freebsd.org, John Hein Subject: Re: emacs installs a lot of 777 directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2009 16:33:23 -0000 hmm, the libsndfile's dir is too: [oliver@xyz /usr/local/share]$ find . -type d -perm 777 ./doc/libsndfile On 3/6/09, Wesley Shields wrote: > On Thu, Mar 05, 2009 at 07:25:55PM -0700, John Hein wrote: >> Randy Bush wrote at 11:15 +0900 on Mar 6, 2009: >> > foo.on.you:/usr/local/share# find . -type d -perm 777 >> > ./emacs/22.3/etc/tree-widget >> > ./emacs/22.3/etc/tree-widget/folder >> > ./emacs/22.3/etc/tree-widget/default >> > ./emacs/22.3/etc/e >> > ./emacs/22.3/etc/images >> > ./emacs/22.3/etc/images/low-color >> > ./emacs/22.3/etc/images/gnus >> > ./emacs/22.3/etc/images/icons >> > ./emacs/22.3/etc/images/gud >> > ./emacs/22.3/etc/images/smilies >> > ./emacs/22.3/etc/images/mail >> > ./emacs/22.3/etc/images/ezimage >> > ./emacs/22.3/lisp >> > ./emacs/22.3/lisp/net >> > ./emacs/22.3/lisp/progmodes >> > ./emacs/22.3/lisp/calc >> > ./emacs/22.3/lisp/emacs-lisp >> > ./emacs/22.3/lisp/url >> > ./emacs/22.3/lisp/emulation >> > ./emacs/22.3/lisp/play >> > ./emacs/22.3/lisp/erc >> > ./emacs/22.3/lisp/term >> > ./emacs/22.3/lisp/obsolete >> > ./emacs/22.3/lisp/textmodes >> > ./emacs/22.3/lisp/mail >> > ./emacs/22.3/lisp/eshell >> > ./emacs/22.3/lisp/calendar >> > ./emacs/22.3/lisp/mh-e >> > ./emacs/22.3/lisp/international >> > ./emacs/22.3/lisp/gnus >> > ./emacs/22.3/lisp/language >> > ./emacs/22.3/leim/ja-dic >> > ./emacs/22.3/leim/quail >> >> Seems okay on my system (0755 for those dirs). >> Could it be something specific to yours? > > umask? > > -- WXS > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Fri Mar 6 22:57:37 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DD8A106564A for ; Fri, 6 Mar 2009 22:57:37 +0000 (UTC) (envelope-from freebsd001@pc.jgr.de) Received: from pc.jgr.de (pc.jgr.de [194.233.111.194]) by mx1.freebsd.org (Postfix) with ESMTP id 9D63B8FC14 for ; Fri, 6 Mar 2009 22:57:36 +0000 (UTC) (envelope-from freebsd001@pc.jgr.de) Received: from pc.jgr.de (localhost [127.0.0.1]) by pc.jgr.de (8.13.6/8.13.6) with ESMTP id n26MvasL085729 for ; Fri, 6 Mar 2009 23:57:36 +0100 (CET) (envelope-from freebsd001@pc.jgr.de) Received: (from root@localhost) by pc.jgr.de (8.13.6/8.13.6/Submit) id n26MuA2r085728 for freebsd-security@freebsd.org; Fri, 6 Mar 2009 23:56:10 +0100 (CET) (envelope-from freebsd001@pc.jgr.de) Date: Fri, 6 Mar 2009 23:56:10 +0100 (CET) From: freebsd001@pc.jgr.de Message-Id: <200903062256.n26MuA2r085728@pc.jgr.de> To: Subject: Re: emacs installs a lot of 777 directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2009 22:57:37 -0000 March 06, 2009 Dear list members, I am not only wondering about the permissions of several emacs-related directories as it has recently been mentioned in this thread, but also about the ownership of several emacs-related files. On several of my systems, a user in the group wheel did su to become root and when installed emacs via the ports by means of make and make install. Many files installed are not owned by root as I would expect, but by this user: >uname -r -s FreeBSD 6.3-RELEASE-p9 >pwd /usr/local/share >find . -not -user root | head -n 3 ./emacs/22.3/etc ./emacs/22.3/etc/GNUS-NEWS ./emacs/22.3/etc/fr-drdref.ps >find . -not -user root | wc -l 2643 > With best regards Joachim Griesche freebsd001@pc.jgr.de From owner-freebsd-security@FreeBSD.ORG Sat Mar 7 03:24:44 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D2E4106564A for ; Sat, 7 Mar 2009 03:24:44 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.229]) by mx1.freebsd.org (Postfix) with ESMTP id 418848FC0C for ; Sat, 7 Mar 2009 03:24:43 +0000 (UTC) (envelope-from jahilliya@gmail.com) Received: by rv-out-0506.google.com with SMTP id f6so811711rvb.43 for ; Fri, 06 Mar 2009 19:24:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=huS7bPqHfvB8M/FvkV1I92fHl77I/coucTwYivhHzrg=; b=tEu7YRro1jb7si6NYFa+ziKvloIjo6I88m5Aqta0PeNT+NZlf1ZFL22N+OyRrYtFOk 5vSkZz9MfrDqJztXvUPApFXExsIpLDtyaoVGJ1srW9eVAAV6q1PV1z9YpWgO/4Hl0fRY Usi9yNDwWIX1J21Bczqpzu7UFL8jJT0jEJ9r8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=RaaiIhcWFcXTOPsoILILUvStOT8A62bJ2+UYIExqBJE7PZ85J1YyUFpnSTUsgPC3vz W8ZKWoZ8cb1rduw5P0xK546Hty21Ih7cORpYyQcR8ioz8ADwsbQMV4YMwLEbFsQygF2a fHYGxtYVj7PtBkZsmsxenyEqbL899zJl18VE4= MIME-Version: 1.0 Received: by 10.141.177.2 with SMTP id e2mr1621601rvp.266.1236396283300; Fri, 06 Mar 2009 19:24:43 -0800 (PST) In-Reply-To: <200903062256.n26MuA2r085728@pc.jgr.de> References: <200903062256.n26MuA2r085728@pc.jgr.de> Date: Sat, 7 Mar 2009 12:24:43 +0900 Message-ID: From: Daniel Marsh To: freebsd001@pc.jgr.de, freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: emacs installs a lot of 777 directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Mar 2009 03:24:44 -0000 Isn't best practice to build as a user and install as root? Make install should su - root to ensure the uid and euid are both 0 Regards Daniel On 3/7/09, freebsd001@pc.jgr.de wrote: > March 06, 2009 > Dear list members, > > I am not only wondering about the permissions of several > emacs-related directories as it has recently been mentioned > in this thread, but also about the ownership of several > emacs-related files. On several of my systems, a user in > the group wheel did su to become root and when installed > emacs via the ports by means of make and make install. Many > files installed are not owned by root as I would expect, > but by this user: > >>uname -r -s > FreeBSD 6.3-RELEASE-p9 >>pwd > /usr/local/share >>find . -not -user root | head -n 3 > ./emacs/22.3/etc > ./emacs/22.3/etc/GNUS-NEWS > ./emacs/22.3/etc/fr-drdref.ps >>find . -not -user root | wc -l > 2643 >> > > With best regards > Joachim Griesche > > freebsd001@pc.jgr.de > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- Sent from my mobile device http://buymeahouse.stiw.org/ From owner-freebsd-security@FreeBSD.ORG Sat Mar 7 17:25:45 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4DC051065672 for ; Sat, 7 Mar 2009 17:25:45 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id EA0898FC17 for ; Sat, 7 Mar 2009 17:25:44 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTPS id 8385A46B03; Sat, 7 Mar 2009 12:25:44 -0500 (EST) Date: Sat, 7 Mar 2009 17:25:44 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Paige Thompson In-Reply-To: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com> Message-ID: References: <5061b39c0903012023hf4a3ccbw886760bdd795f71c@mail.gmail.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Trusted Path Execution X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Mar 2009 17:25:45 -0000 On Sun, 1 Mar 2009, Paige Thompson wrote: > I would like to know that there is or is not a way to prevent users from > executing binaries that are not owned by root or that the user is in a > particular group. Is this something I can achieve with TrustedBSD's MAC > framework? Hi Paige-- The ugidfw(8) file system firewall, and mac_bsdextended(4) kernel module it depends on, can be used to limit what binaries can be executed. However, be aware that this may not affect memory mapping of shared libraries on platforms where there are not seperate read/execute bits, such as on i386. You may want to combine this with the noexec flag, which our runtime linker is aware of and assists in enforcing for shared libraries. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Sat Mar 7 17:59:16 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFA8B1065686 for ; Sat, 7 Mar 2009 17:59:16 +0000 (UTC) (envelope-from Gabor@Zahemszky.HU) Received: from relay01.digicable.hu (relay01.digicable.hu [92.249.128.189]) by mx1.freebsd.org (Postfix) with ESMTP id 824538FC13 for ; Sat, 7 Mar 2009 17:59:16 +0000 (UTC) (envelope-from Gabor@Zahemszky.HU) Received: from [94.21.211.118] (helo=Picasso.Zahemszky.HU) by relay01.digicable.hu with esmtpa id 1Lg0SL-0006V0-A8 for ; Sat, 07 Mar 2009 18:37:01 +0100 Date: Sat, 7 Mar 2009 18:37:01 +0100 From: Zahemszky =?ISO-8859-2?Q?G=E1bor?= To: freebsd-security@freebsd.org Message-ID: <20090307183701.4b42830e@Picasso.Zahemszky.HU> Organization: Zahemszky Bt. X-Mailer: Claws Mail 3.7.1 (GTK+ 2.14.7; i386-portbld-freebsd7.1) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: quoted-printable X-Original: 94.21.211.118 Subject: FreeBSD and MAC X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Mar 2009 17:59:17 -0000 Hi! I have two simple questions about the Mandatory Access Control framework of FreeBSD: a) what has happened with the SEBSD modul? When will be available (or will it be at all) in the system (or can I find one for an up-to-date kernel: 7.x or up)? b) when will be the "options MAC" in the GENERIC kernel, or why not? (I think, more people can test the MAC-modules, if they don't need to config a kernel for it.) Tahnks, G=E1bor < Gabor at Zahemszky dot HU > --=20 #!/bin/ksh Z=3D'21N16I25C25E30, 40M30E33E25T15U!'; IFS=3D' ABCDEFGHIJKLMNOPQRSTUVWXYZ '; set -- $Z;for i;{ [[ $i =3D ? ]]&&print $i&&break; [[ $i =3D ??? ]]&&j=3D$i&&i=3D${i%?}; typeset -i40 i=3D8#$i;print -n ${i#???}; [[ "$j" =3D ??? ]]&&print -n "${j#??} "&&j=3D;typeset +i i;}; IFS=3D' 0123456789 ';set -- $Z;for i;{ [[ $i =3D , ]]&&i=3D2; [[ $i =3D ?? ]]||typeset -l i;j=3D"$j $i";typeset +l i;};print "$j"