From owner-freebsd-security@FreeBSD.ORG Mon Jun 3 07:24:34 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 970664BB for ; Mon, 3 Jun 2013 07:24:34 +0000 (UTC) (envelope-from victor@bsdes.net) Received: from equilibrium.bsdes.net (244.Red-217-126-240.staticIP.rima-tde.net [217.126.240.244]) by mx1.freebsd.org (Postfix) with ESMTP id 50CE61B9D for ; Mon, 3 Jun 2013 07:24:33 +0000 (UTC) Received: by equilibrium.bsdes.net (Postfix, from userid 1001) id 6A4D122877; Mon, 3 Jun 2013 09:16:08 +0200 (CEST) Date: Mon, 3 Jun 2013 09:16:08 +0200 From: Victor Balada Diaz To: freebsd-security@freebsd.org Subject: OpenSSH ignores /etc/ssl/openssl.cnf Message-ID: <20130603071608.GL74846@equilibrium.bsdes.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jun 2013 07:24:34 -0000 Hello, While trying to configure padlock(4) engine as default engine for my system i've noticed that OpenSSH ignores openssl.cnf. Ie: $ truss openssl speed aes-128-cbc 2>&1 |grep -i openssl.cnf open("/etc/ssl/openssl.cnf",O_RDONLY,0666) = 3 (0x3) $ truss scp -c aes128-cbc localhost:/tmp/foo /tmp/bar 2>&1 |grep -i openssl $ How should i configure it without using openssl.cnf? FreeBSD version: 9.0 and 9.1, i386 and amd64, with base openssl and openssh. Regards. Victor. -- La prueba más fehaciente de que existe vida inteligente en otros planetas, es que no han intentado contactar con nosotros. From owner-freebsd-security@FreeBSD.ORG Mon Jun 3 08:04:42 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 5883EEDF for ; Mon, 3 Jun 2013 08:04:42 +0000 (UTC) (envelope-from victor@bsdes.net) Received: from equilibrium.bsdes.net (244.Red-217-126-240.staticIP.rima-tde.net [217.126.240.244]) by mx1.freebsd.org (Postfix) with ESMTP id 0A4DC1D2F for ; Mon, 3 Jun 2013 08:04:41 +0000 (UTC) Received: by equilibrium.bsdes.net (Postfix, from userid 1001) id BDA3322877; Mon, 3 Jun 2013 10:04:40 +0200 (CEST) Date: Mon, 3 Jun 2013 10:04:40 +0200 From: Victor Balada Diaz To: freebsd-security@freebsd.org Subject: Re: OpenSSH ignores /etc/ssl/openssl.cnf Message-ID: <20130603080440.GM74846@equilibrium.bsdes.net> References: <20130603071608.GL74846@equilibrium.bsdes.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20130603071608.GL74846@equilibrium.bsdes.net> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jun 2013 08:04:42 -0000 On Mon, Jun 03, 2013 at 09:16:08AM +0200, Victor Balada Diaz wrote: > Hello, > > While trying to configure padlock(4) engine as default engine for my system > i've noticed that OpenSSH ignores openssl.cnf. Ie: > > $ truss openssl speed aes-128-cbc 2>&1 |grep -i openssl.cnf > open("/etc/ssl/openssl.cnf",O_RDONLY,0666) = 3 (0x3) > > $ truss scp -c aes128-cbc localhost:/tmp/foo /tmp/bar 2>&1 |grep -i openssl > $ > > How should i configure it without using openssl.cnf? > > FreeBSD version: 9.0 and 9.1, i386 and amd64, with base openssl and openssh. > > Regards. > Victor. Found the problem: https://bugzilla.mindrot.org/show_bug.cgi?id=1882 It's been fixed on HEAD and 9-STABLE. Is there any chance to get an errata update for 9.1-RELEASE? If not, i think it should be documented on the late breaking news of the errata web page. Thanks a lot. Regards. Victor. -- La prueba más fehaciente de que existe vida inteligente en otros planetas, es que no han intentado contactar con nosotros. From owner-freebsd-security@FreeBSD.ORG Tue Jun 4 09:36:46 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 824D964D for ; Tue, 4 Jun 2013 09:36:46 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 48C761694 for ; Tue, 4 Jun 2013 09:36:46 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 1EB5A98FB; Tue, 4 Jun 2013 09:36:39 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 964C92EC26; Tue, 4 Jun 2013 11:36:09 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Victor Balada Diaz Subject: Re: OpenSSH ignores /etc/ssl/openssl.cnf References: <20130603071608.GL74846@equilibrium.bsdes.net> <20130603080440.GM74846@equilibrium.bsdes.net> Date: Tue, 04 Jun 2013 11:36:09 +0200 In-Reply-To: <20130603080440.GM74846@equilibrium.bsdes.net> (Victor Balada Diaz's message of "Mon, 3 Jun 2013 10:04:40 +0200") Message-ID: <86wqqa9q0m.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jun 2013 09:36:46 -0000 Victor Balada Diaz writes: > While trying to configure padlock(4) engine as default engine for my > system i've noticed that OpenSSH ignores openssl.cnf. [...] It's > been fixed on HEAD and 9-STABLE. Is there any chance to get an errata > update for 9.1-RELEASE? Thank you for your report. The FreeBSD security team will investigate the matter. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sat Jun 8 22:33:52 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D62FA5BF; Sat, 8 Jun 2013 22:33:52 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 8A9E3174B; Sat, 8 Jun 2013 22:33:49 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 6D6CEC6E; Sun, 9 Jun 2013 00:29:21 +0200 (CEST) Date: Sun, 9 Jun 2013 00:33:46 +0200 From: Pawel Jakub Dawidek To: freebsd-security@FreeBSD.org Subject: Request for review: Sandboxing dhclient using Capsicum. Message-ID: <20130608223346.GA2468@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="cNdxnHkX5QqsyA0e" Content-Disposition: inline X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: brooks@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jun 2013 22:33:52 -0000 --cNdxnHkX5QqsyA0e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi. I have a series of patches to sandbox dhclient using Capsicum (capability mode and capability rights for descriptors). As usual, because chroot and setgid/setuid are not sandboxing mechanisms, there are many problems with the current sandboxing: - Access to various global namespaces (like process list, network, etc.). - Access to RAW UDP socket. - Read/write access to bpf. - Access to RAW route socket, which means it can delete, modify or add static routes as it pleases. After the changes RAW route socket is limited to reading only, write-only bpf descriptor and RAW UDP sockets are moved to privileged process and eventhough unprivileged process controls destination addresses still, it cannot change port for example. There is no access to global namespaces anymore. All descriptors used by unprivileged process are limited using capability rights (just in case, not really crucial): - Descriptor to lease file allows for overwrite only, but doesn't allow for other stuff, like reading, fchmod, etc. - Descriptor to pidfile has no rights, it is just being kept open. - STDIN descriptor has no rights. - STDOUT and STDERR descriptors are limited to write only. The patches are here. Every change has individual description: http://people.freebsd.org/~pjd/patches/dhclient_capsicum.patches I'd appreciate any review, especially security audit of the proposed changes. The new and most critical function is probably send_packet_priv(). --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --cNdxnHkX5QqsyA0e Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlGzsUoACgkQForvXbEpPzSZtwCbBfqaVjVF5ZOziEHeAGDXltGt KpEAoNOLgRpOFGYh7gz33Gi2lHbNZV3U =l7P5 -----END PGP SIGNATURE----- --cNdxnHkX5QqsyA0e--